OpenBSD 4.8 Released

Mortimer.CA writes "The release of OpenBSD 4.8 has been announced. Highlights include ACPI suspend/resume, better hardware support, OpenBGPD/OpenOSPFD/routing daemon improvements, inclusion of OpenSSH 5.5, etc. Nothing revolutionary, just the usual steady improving of the system. A detailed ChangeLog is available, as usual. Work, of course, has already started on the next release, which should be ready in May, according to the steady six-month release cycle."

Awesome.

[cinderellamanson]

Kickass.

fdisk

[tenco]

Does their installation fdisk still suck?

Re:

[cinderellamanson]

lol, how's that?

Re:

[cinderellamanson]

lol, how's that?

lol, how's that?

your a fuckhead

lol, how's that?

lol, how's that?

your a fuckhead

I thought it was funny, unny, ny.

Re:fdisk

[ashkar]

Their targeted users have no problem with the installation. If you aren't comfortable with the installation tools, you probably wouldn't be comfortable with OpenBSD. A pretty installation method is looking for a solution to a problem that doesn't exist.

Re:

[Narcocide]

Oh, the problem exists, I can assure you of that. The problem however lies between the keyboard and the chair.

Re:fdisk

[contra_mundi]

Oh, the problem exists, I can assure you of that. The problem however lies between the keyboard and the chair.

That's not a very ergonomic position to use a computer in.

Re:

[cinderellamanson]

I'm not exactly sure if I'm offended by this or not.

contribute code

[sparetiredesire]

It is good to call attention to features that need work.

It is better to contribute code towards the solution.

Re:

[kestasjk]

I think having to mess around with cylinders and whatnot is a bit silly these days, when we have "disks" which don't have anything resembling cylinders internally starting to become mainstream. It's a bit dated to say the least

You can say "the targeted users have no problem with it", and that's fine, but that pool of targeted users is bound to shrink over time (again that's fine, but many would see that as a bad thing, worth some compromises to avoid)

Re:

[jimicus]

Disks always did have cylinders, it's just that they don't mean cylinder in the sense of "a whole bunch of toilet roll tubes taped together".

Having said that, it hasn't been necessary to describe disks in C/H/S parlance in years.

Re:

[Alioth]

I've been using OpenBSD since 3.3, and I don't think I've ever specified anything in cylinders when setting up. The BSD disk label tool accepts arguments in size, example 20M, 20G, 20T etc.

Re:

[TheRaven64]

I haven't installed OpenBSD since around 3.8 (I've just done in-place updates since then), but you didn't have to specify C/H/S values for partition sizes. Values like 512M and 4.5G worked just fine.

Re:

[kestasjk]

You're saying the OpenBSD team shouldn't alter fdisk because dealing in hard disk cylinders is "learning something new"?

Re:

[RichiH]

I had no problems installing Debian potato. Still, I prefer today's installer. Your point being?

Re:

[MikeBabcock]

I am a targetted OpenBSD user. I create Linux-based firewall router boxes regularly for clients. I would love to use OpenBSD instead but the installation process is too complex to wrap up easily for a customer. I can have a customer pop in a Linux CD remotely and VNC-install it from my desk for them over a VPN link.

Good installers are not a bad thing.

Re:

[rastilin]

Is that because people who find it a problem end up using something else?

Re:

[TheRaven64]

Users don't matter to an open source project. It's not like an off-the-shelf product where users means paying users, which means people who are contributing money. An open source project needs contributors. They don't have to be contributing code, they can be contributing money, hardware, documentation, or even (detailed) bug reports. These people are useful - they provide something of value to a project.

People who are just users are irrelevant. They get something for free, and that's a nice side ef

Re:fdisk

[Anonymous Coward]

I've only installed OpenBSD twice, both successfully, but their fdsik version was very nice.

Different from Microsoft and Linux fdisk programs? Yes! Because you're not running/installing neither Windows nor Linux. Neither of these are identical systems.

The OpenBSD fdisk is quite possibly better, and without a doubt far better documented, and not just in the excellent up to date man pages but also in official faq's and installation procedures available on the OpenBSD webpages. Stuff one should read.

Who would read/read on Microsoft information when installing Linux?
Who would read/rely on Solaris information when installing Windows?
Who would read/rely on Linux information when installing OpenBSD?

If you're having trouble with OpenBSD fdisk or more likely OpenBSD installation peculiarities and requirements that other operating systems either don't have or gloss over then I would recommend reading the OpenBSD documentation, it's all there, yes the issues that can trap someone entirely new too, usually even emphasized.

A Windows poweruser or superuser can be and often is a total newbie on Linux.
A Linux poweruser or superuser can be and often is a total newbie on OpenBSD.

Don't assume different things to be the same.

Re:

[tenco]

I just think it's ridicolous that I have to compute partition/disklabel sizes in sectors myself while sitting at a computer. I own a computer because it can compute for me not because I want to compute for it.

Re:fdisk

[Ex Machina]

IIRC you can suffix a quantity with M or G to specify size in megabytes or gigabytes.

Re:

[Just Some Guy]

Are those decimal (1,000,000) or binary (1,048,576) megabytes?

The real kind [openbsd.org] that computers use.

Re:

[Nimey]

THIS. A thousand times this. Linux cfdisk from 1999 was friendlier than that, without holding your hand overmuch.

Re:

[cinderellamanson]

In 4.6 you can autopartition the disk. I'm not sure about before that.

Try htttp://www.openbsd101.com/ [htttp]

Re:

[contra_mundi]

In 4.6 you can autopartition the disk. I'm not sure about before that.

Try htttp://www.openbsd101.com/ [htttp]

Is that the bleeding-edge Hyper Turbo Text Transfer Protocol?

Re:

[cinderellamanson]

indeed. that's just how badass openbsd is. you guys don't even get to see the htttps protocol in action for another 5 years.

Re:

[Anonymous Coward]

because it only works with IPV16

Re:

[the_brobdingnagian]

The OpenBSD installer can auto-partition your disk for you. No calculations needed if you don't want to.

Re:

[101percent]

You don't. I've had my 4.8 CD set for a week now. It auto-partitioned everything fully utilizing my entire disk space, / /home /tmp /var /usr and various /usr/*

Re:

[kiddygrinder]

i'd disagree that there's no reason why we can't have a system that's truly open, secure and easy to use because people can't even agree what those words mean.

Re:

[Noryungi]

Nice Troll. I'll bite.

Nor does an OpenBSD user excel on either Linux or Windows - they are three different worlds. You do not state, but imply, that someone that knows BSD knows those other systems. You either do so through intention (dishonesty) or through lack of thinking your argument out (ignorance), either one isn't particularly good.

I have three Linux machines (Slackware/Ubuntu) and one OpenBSD machine at home, all of them work very well. I also have two additional Windows machines at home, and I use one at work (sigh). I know all three systems pretty well. What's your point?

And, just to add an important precision: I administer Linux (Red Hat/SuSE), Solaris, AIX and HPUX machines at work. I know all of these systems pretty well.

The problem that the *BSD versions have for large acceptance is why? The big draw of it - security from the ground up - isn't really useful in most places.

Go ahead and tell that to the security engineers that audit the servers on a regular ba

Re:

[icebraining]

Throwing the whole DMZ concept away. Firewalls should be protected from both the Internet as well as the servers, so they can protect your LAN even if the servers get hacked.

Re:

[badger.foo]

There's a series of pictures at http://bsdly.blogspot.com/2010/01/goodness-of-men-and-machinery.html [blogspot.com] that tell you what the installer looked like in January. IIRC no huge changes have happened to it since then. But do try 4.8 or a recent snapshot (they come with installNN.iso files these days)

Don't forget the Release Song!

[Anonymous Coward]

Someone forgot the infamous song release for 4.8 to be included in article details: El Puffiachi [openbsd.org]

song

[buchner.johannes]

The release song [openbsd.org] doesn't even have lyrics :-(
How good can the release be then, I ask!

Re:

[the_humeister]

The release song [openbsd.org] doesn't even have lyrics :-(
How good can the release be then, I ask!

Better than Kenny G, but a little worse than anti-lock brakes.

How are upgrades handled?

[Anonymous Coward]

I'm curious. Having never used a BSD-based system, how are upgrades managed? I understand that instead of installing packages, one uses ports. My impression of that is that you run a file in a ports directory and it compiles the software and installs it. Correct me if I'm wrong.

But how does one upgrade from, say, OpenBSD 4.7 to 4.8? Is there a script that is run that downloads and installs the appropriate files, or do you have to backup and install the new version on your system?

Re:How are upgrades handled?

[the_brobdingnagian]

I'm curious. Having never used a BSD-based system, how are upgrades managed? I understand that instead of installing packages, one uses ports. My impression of that is that you run a file in a ports directory and it compiles the software and installs it. Correct me if I'm wrong.

Ports are meant for building packages. Users should only use packages normally. You can update your packages after you upgraded your base system with "pkg_add -ui -D update -D updatedepends"

But how does one upgrade from, say, OpenBSD 4.7 to 4.8?

OpenBSD has excellent docs and FAQ's: http://openbsd.org/faq/upgrade48.html [openbsd.org]

Re:

[resfilter]

ports are just a way to build packages for 3rd party (i.e. not in the base system) software.

unlike a lot of operating systems, openbsd includes apache, bind, and other common network servers in the base install.

there's no automated upgrade procedure that works well for the openbsd base system at all; but there's a manual procedure, which is well documented, for upgrading between major versions

as someone has tried to upgrade many major linux distributions in various environments, i can tell you that

Re:

[Noryungi]

Upgrade to OpenBSD 4.7 to 4.8 is as simple as booting the machine on the CD, and selecting (U)pgrade instead of (I)nstall.

Make sure you make a backup of your /etc/ directory beforehand and you are good to go. The upgrade process should keep your configuration intact, but it never hurts to be a bit cautious.

I'll note that i have been upgrading the same machine from OpenBSD 3.9 all the way to 4.8 without major problems.

Unless you have a very good reason to, do not use ports: use (pre-compiled) packages. Upgra

Re:

[badger.foo]

Make sure you make a backup of your /etc/ directory beforehand and you are good to go. The upgrade process should keep your configuration intact, but it never hurts to be a bit cautious.

For /etc upgrades, there's sysmerge.

In fact, you can run sysmerge -x xetcNN.tgz -s etcNN.tgz and answer the friendly prompts before booting into the installer for the upgrade. Then after you've done the base system upgrade, set your PKG_PATH to something sensible and run pkg_add -u to upgrade your packages. Time needed is mainly a function of how good your connectivity to the packages mirror is.

Re:

[dhickman]

It's a pain in the ass is what it is. Actually for all BSD systems it is. Recompiling everything that is upgraded etc, uses lots of unnecessary disk space and CPU. Makes it all but impossible to do on low-end systems (basically you have to compile on another machine and then transfer crap over, PITA).

Yes, it is a pain, but honestly, unless you are one of my friends ( one of the openbsd guys,) who maintains a working example of every machine that can run openbsd, why would you install the new version, instead of just keeping your working version patched?

I run openbsd on firewalls/vpns/etc. The only time I ever put a new os on them is when I am replacing them.

One of the best things about openbsd is that it is simple to install, simple to configure, and simple to maintain a production level system

Re:

[Just Some Guy]

why would you install the new version, instead of just keeping your working version patched?

I have two main reasons:

1. The new versions do new, cool stuff. That's why they released a new version, after all. For example, pf.conf is more pleasant to work with each time, to the point that it's been worth the 10 minutes of downtime to upgrade just for that one improvement.
2. I had to upgrade a firewall so that I could install a sufficiently recent version of the Amanda backup client on it. The version that came with that OpenBSD release didn't actually work and it wouldn't build cleanly from ports. Given

Suspend/Resume?

[angus77]

They have suspend/resume now?

I guess this will be the Year of the OpenBSD Netbook!!

Re:Suspend/Resume?

[the_brobdingnagian]

Suspend/resume support has been improved enormously. I have been using it without problems on my Asus Eee PC 1000H for a while now.

Re:

[101percent]

A super secure OS running on the most easily stolen machine.

Re:

[Just Some Guy]

That's actually a great reason to use it on laptops (even if the pull of Ubuntu was too strong for me). A laptop without the password to the encrypted boot system and without any way to get it out of sleeping without knowing the login password might as well have a formatted drive for all the use it is to a thief.

Yes, you can get most of that with a properly set up Linux system. That's what I'm banking on with my own laptop here. Still, should it get stolen, I'd feel a lot better if my personal data was lock

ACPI features? Best of luck then

[sosaited]

I hope they didn't break something when adding the ACPI features. From my experience, it is one devil of a specification. Just half an hour ago, I couldn't browse anything on my Ubuntu Lucid because I had changed one ACPI related setting in Bios, and XP failed to boot at all. I wonder how far-reaching and bizarre effects it has on other OSs, and in other scenarios.

Re:

[TheRaven64]

This is why it's only being advertised now. They've had ACPI support for a while, but every ACPI implementation has interesting bugs. Most BIOS vendors test with Windows. A few test with Linux. None test with OpenBSD. OpenBSD therefore needs to include work-arounds for these bugs. They don't advertise the feature until they're pretty confidant that it's actually working. It's not Linux, where stuff gets pushed to the tree with a token amount of testing.

Re:

[ifrag]

Actually the pciide driver broke for me back in 4.7. As a result of the fact that 4.7 can no longer detect my hard drive (some VIA chipset iirc) I'm forced to use 4.6-stable instead. Maybe I'll check out 4.8 just to see if the driver is back to a working state for me.

Hrmm

[n3v]

www.openbsd.org slashdotted?

Bye Bye bce0?

[christurkel]

Disable bce(4) in i386 GENERIC and RAMDISK kernels.

Why was this removed? Makes my latop not useable with OpenBSD.

Re:

[IcePic]

Because it sucks by having hardware that cant handle memory above 1G, which means either it goes, or your 1+ G machine becomes 1G machine.
(or you start doing the ISA-bus style memory bouncing for all network drivers since any device can DMA to/from the same mbufs that the bce later should handle)

So either a massive rewrite of all other network drivers, OR, kill the driver for the broken hardware that pretends to be useful but isnt.

OpenBSD was my first *NIX

[CondeZer0]

That was more than ten years ago, and OpenBSD is still the *nix OS that remains closest to the original Unix style and spirit.

Being a BSD variant it means it already started to deviate from the Unix way long ago [cat-v.org], but with the notable exception of Plan 9 [cat-v.org] (not surprising given that the original Unix team were responsible for Plan 9, and by the way now are working on Go [golang.org]), all other *nix-like systems are much, much worse.

The quality of OpenBSD code is also much better than that of any other popular OS, and its

OSNews? Thom Holwerda? Seriously?

[Anonymous Coward]

You're taking some random blog article linked to by Thom Holwerda at OSNews seriously? Those are your three strikes, and you're out, my friend.

Look, the OpenBSD team knows exactly what they're doing. They're some of the brightest minds in the field. They have many years of experience with real-world security. They've been around long enough to know that there are something things that sound totally fantastic in theory, but in practice they're a complete failure.

Many advanced security approaches fall directly into this theoretically-great-but-actually-quite-shitty category. They end up being difficult to implement, and end up being full of security flaws and other holes. They end up causing the very things they're supposed to avoid! Thankfully, the OpenBSD developers know this, and smartly stick with a model that's been proven successful over the couse of 40 years.

Re:

[Sancho]

Insightful? Really?

The point of the article is that while the base system may indeed be very secure, it is practically useless. When needing to perform real world functions, the ironclad security of the base install is not all that useful. It's true that providing a good base on which to build your platform is important, however it's not nearly as important as one might think.

For example, if you need to build a web server, you might pick OpenBSD because of its "secure-by-default" mantra. But what does t

Re:

[cinderellamanson]

Nah, if hacked root on slashdot.org, SELinux isn't going to give two bits of a flea's shit if I banned your account.

Re:OSNews? Thom Holwerda? Seriously?

[machine321]

The point of the article is that while the base system may indeed be very secure, it is practically useless.

1998 called, they want their rationalization back. Besides, just about everyone turns off SELinux when they want to actually get work done.

Is lighttpd any more secure on OpenBSD than on Linux? No.

Good thing they have an audited, privsep, chrooted version of Apache, then.

With SELinux, you need not only a local privilege escalation, but a hole in SELinux as well.

Bullshit. [grok.org.uk]

I would argue that OpenBSD may be secure by design, but SELinux is, in practice, more secure.

Adding complexity rarely increases reliability.

I would be absolutely ecstatic if OpenBSD implemented something more like SELinux in terms of privilege separation.

The Stephanie project worked towards doing just that, but it appears the project died several years ago.

Re:

[Cyberax]

"1998 called, they want their rationalization back. Besides, just about everyone turns off SELinux when they want to actually get work done."

Fortunately, we have alternatives to SELinux. Personally, I use AppArmor.

Re:

[DiegoBravo]

I'm not trying to be rude, but you lost me at your first mention of SELinux.

Re:OSNews? Thom Holwerda? Seriously?

[Menkhaf]

Sorry man, that's not a highlight. It's a link.
I, uhm.. think you may have missed out a bit on the Internet. Here, I'll give you a link to start with: http://www.bing.com/ [bing.com] -- happy binge!

Besides, the mentioned "bullshit" was half way into his post. If you just read the first few words, I think he's happy.

Re:

[Sancho]

In most browsers, with most configurations, the link shows bright blue. I saw the post, saw the bright blue "Bullshit", and decided it wasn't worth reading the rest unless he decided to be more civil.

Re:

[tehcyder]

"bullshit" is rude? Really? Maybe should avoid the internet, or indeed any grown up environment.

No, "bullshit" is rude.

It's not as rude as "shut your fucking mouth before I rip out your throat and shit over your tonsils, you moronic cunt" but then again it's not exactly "I'm really sorry, but I'm afraid I beg to differ, and can provide reasoned backup for my argument."

I doubt you'd say "bullshit" to your boss or granny if you disagreed with them.

Re:

[cbhacking]

You're forgetting the difficulty of a successful exploit in the first place. OpenBSD was the first OS to implement ASLR, for example (http://en.wikipedia.org/wiki/ASLR). Linux only has fairly weak ASLR built in. There are a few other differences. Yes, the value of things like SELinux or AppArmor is considerable, and it would be great if OpenBSD implemented such a sandboxing capability, but your argument that the security of the OS itself isn't also very important is incorrect.

Re:

[onefriedrice]

But with SELinux, you can get an even higher level of security. With SELinux, you need not only a local privilege escalation, but a hole in SELinux as well.

It's not like a hole in SELinux is uncommon, unfortunately. Linux and GNU make for a very good base operating system, but so does BSD. Right off the bat, BSD has the advantage of being a coherent system with amazing documentation. Linux seems to be compatible with more hardware, and many people are more comfortable with the GNU userland. BSD arguably has better licensing terms (depending on your perspective). So each has its advantages and disadvantages, but SELinux I would not even bother listing as a

Re:

[metrix007]

Can you find me an example of a hole in SELinux? Even one? I don't mean a flaw in policy affecting some distros, but an actual flaw in the subsystem?

Re:

[nocomment]

Can you find me an example of a hole in SELinux? Even one? I don't mean a flaw in policy affecting some distros, but an actual flaw in the subsystem?

http://linux.slashdot.org/story/10/09/20/0217204/Linux-Kernel-Exploit-Busily-Rooting-64-Bit-Machines?from=rss [slashdot.org]

Re:

[metrix007]

Yeah, that's not a flaw in SELinux. Nice try though.

Re:

[onefriedrice]

Can you find me an example of a hole in SELinux? Even one? I don't mean a flaw in policy affecting some distros, but an actual flaw in the subsystem?

Yes, I accept your challenge. Here is some light reading for you.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=selinux [mitre.org] - Obviously not all listed here are flaws in SELinux itself, but there are some.
http://www.zdnet.co.uk/news/security-threats/2009/07/20/linux-exploit-gets-around-security-barrier-39688318/ [zdnet.co.uk]

So, while SELinux might be a good single layer of security (when it works), it certainly isn't impenetrable and should definitely not be viewed as the most important layer of any multi-layered s

Re:

[metrix007]

Thanks, I found the mitre one pretty useful.

Most look like early DoS attacks, I would hope they have sorted that out now, and there doesn't seem to have been one since 2006. As for the rest, well SELinux runs in the kernel, so with the right kernel vulnerability yeah it can be bypassed. Considering most vulnerabilities are not kernel level but userspace....I'll gladly take that extra protection, of which no equivalent is offered on OpenBSD.

Re:

[TheRaven64]

Too lazy to look it up, but there have been two widely publicised flaws in the null pointer checking part of SELinux in the past year. Both led to privilege-elevation-to-kernel-mode exploits that only worked if you had SELinux.

That's rather the point of OpenBSD's rejection of SELinux. It is a huge chunk of complex code and it runs in ring 0. It increases the attack surface considerably, and unless you spend a lot of time configuring it, provides little actual benefit.

If you want to take issue with Op

Re:

[TheRaven64]

I can't remember his name. Mult is a system like FreeBSD jails, but with full support for recursion and resource limits from the start. It's a very clean system for sandboxing, which would have been a good fit for OpenBSD, but flames from some of the core developers on the mailing list pushed the author away.

Re:OSNews? Thom Holwerda? Seriously?

[TheRaven64]

For example, if you need to build a web server, you might pick OpenBSD because of its "secure-by-default" mantra. But what does that really buy you? You still need to run web server software, which is going to be the vector for any attack.

The OpenBSD base system includes a version of Apache that has been heavily audited (fixing a lot of bugs that didn't seem to get fixed in the main branch until years later - look for 'does not affect OpenBSD' in security advisory notes) and runs in chroot by default.

Is lighttpd any more secure on OpenBSD than on Linux? No

As I recall, lighttpd runs in a chroot by default on OpenBSD, but I could be wrong. On top of this, it has (probably not a full list, just the things I remember):

• Address space randomisation, making return-to-libc attacks harder. Linux now includes a weaker version of this.
• OpenBSD's malloc() has an aggressive policy about returning memory to the kernel, which trades some performance for making it much harder to exploit use-after-free bugs.
• The OpenBSD system compiler enables stack canaries by default and they are enabled for all OpenBSD packages, making stack-smashing attacks basically impossible.
• W^X policy means that you can't map a page as both writable and executable at the same time. This is implemented even on x86, where it requires some convoluted stuff with segmentation because there is no native support in the page tables. This makes anything with a JIT compiler marginally harder to write and makes arbitrary code execution holes much harder. Linux can enforce something like this only on newer systems that have support for the NX bit in page tables.
• The network stack uses strong random numbers for a lot of TCP/IP header fields, making things like connection hijacking or SYN flood attacks harder (you said you were running a networked app, right?).

And the best thing? You don't need to configure or even understand any of these for them to work. That's what 'secure by default' means - no faffing with SELinux configuration, no optional security measures that people turn off because they're too hard to get right.

I would argue that OpenBSD may be secure by design, but SELinux is, in practice, more secure.

In practice, SELinux is usually disabled. In the few places it is enabled, it makes the attack surface larger and has led to exploitable bugs that are not present in Linux-without-SELinux.

Re:

[shking]

For example, if you need to build a web server, you might pick OpenBSD because of its "secure-by-default" mantra. But what does that really buy you? You still need to run web server software, which is going to be the vector for any attack.

A security audited version of Apache, inside a chroot jail [openbsd.org], is part of the standard install [openbsd.org].

Please check your facts before posting. You'll avoid sounding like a trolling fanboi.

Re:

[Sancho]

Yeah, and then I mentioned a different web server. Maybe I don't want to run ancient software.

And to avoid that internet-age-old ad-hominem 'troll' attack, I realize that Apache 1.3 was only recently EOL'd by Apache, but development on it effectively ceased long ago. Which is why I referenced a more modern web server, though you conveniently declined to quote that portion of my post.

Re:

[yup2000]

I agree and that's why I use it for internet facing machines I don't want have to worry about!
Just look at the 4.7 release. There were 7 patches for the kernel & userland 2 of which were categorized as security. The best someone attacking the system could do is cause a daemon to crash or possibly cause a panic. During the same 6 month time frame linux quite a few more security issues crop up including one that could be used to get root on a box. ouch.

Re:

[afabbro]

Thankfully, the OpenBSD developers know this, and smartly stick with a model that's been proven successful over the couse of 40 years.

What model is this? Because 40 years = 1970.

I'm sure you're not talking about Unix because Unix was never designed with security in mind and it's ridiculous to think that security was even a consideration in 1970. Arguably, security has been well retrofitted, but not until much, much later.

Re:

[Anne Thwacks]

Unix was designed with security in mind, maybe not to today's requirements, but in 1970, you knew damn well that machines were multi-user, and users tasks had to be protected agaist each other. Real world experience at the time was not of people deliberately hacking others' stuff, but of a large percentage of programs being written in assembler, and having the ability to trash things at low level in the event of fairly trivial typing errors. Hardware separation of users; activities, and management thereof w

Re:

[TheLink]

I'm sure you're not talking about Unix because Unix was never designed with security in mind and it's ridiculous to think that security was even a consideration in 1970

Yeah it's kind of funny how people keep talking about how secure unix systems are and how superior they are when they aren't.

Unix was a watered down Multics.

http://en.wikipedia.org/wiki/Multics [wikipedia.org]

Security was a major consideration in Multics in 1970 and even earlier. Unix on the other hand had different objectives.

Re:

[TheRaven64]

Why is this a troll? UNIX was designed for minicomputers, with few users, all trusted. It was not designed to be networked (that came later, with BSD and the ARPA grant). It was not designed to be run on mainframes with large numbers of users, that was the domain of things like OS/360 and Multics.

It was designed for precisely one purpose: to run a game. It was then extended to be shipped on things that were little more than typesetting appliances. If you uttered the phrase 'UNIX security' in the '80

Re:

[Jeppe Salvesen]

Disclaimer: I've never used OpenBSD.

However, there are two angles to securing the system, and that is:

1. Fixing the code so that it does only what it is supposed to do. This includes security fixes.
2. Designing the code so that you can restrict access to resources (data etc) in a reliable way.

3. 1. Both must be addressed for a system to be both secure and usable.

      As far as I understand from the links and the discussion, OpenBSD is best-in-class at point nr 1, and pretty terrible at point nr 2. A system is no more secure

Re:

[cinderellamanson]

I think i just died laughing. hoot!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[jimicus]

If you take a wider view, what you're describing is typical of the worst of F/OSS development attitudes across all platforms - OpenBSD is by no means unique. Many projects have taken active steps to curb such responses (such as introducing codes of conduct on mailing lists), but many haven't.

What generally happens is:

• Someone mentions on a developers' mailing list a perceived weakness of the product. They may word it perfectly politely, they may ask if there's a reason for this perceived weakness they may

Re:Have they decided to implement security yet?

[SoupIsGood Food]

OpenBSD's claims are based on clean code, well-written documentation and sensible defaults, not a baked-in or bolt-on MAC system (which in this case stands for Mandatory Access Controls.)

Because it can be bolted-on, it's not really a criticism of the OS itself. To be fair, jails gets you 90% of the way there - MAC systems were hot stuff on multi-user systems, but most Unix installations these days are single-seat workstations or back-end servers in the new "appliance" model which don't have any human users at all apart from the admin. Applications can be effectively protected from each other with jails... so an elaborate MAC system is kind of a waste of time in most cases. Maybe in a few specialized file-server scenarios, it might come in handy... but it's pointless for a box running a LAMP stack.

Oh, wait, OpenBSD doesn't run jails, and the devs tell you to screw off and die whenever they're asked about it.

I suppose they still have clean code and sensible defaults. You just need to buy a new server every time you want to isolate applications from each other.

But this isn't actually a security issue, this is a developers-up-their-own-fundament issue.

Re:Have they decided to implement security yet?

[metrix007]

I can't believe you got modded up. MAC is not bolted on at all, it is a kernel patch. This means you end up with a different kernel, where MAC is implemented from the ground up.

Equating MAC to jails also shows you simply don't understand what MAC is.

• If your webserver is compromised in a jail, can the webpages still be defaced? Yep. Not with a proper MAC policy.
• Running third party software that the OpenBSD team did not audit themselves which gets pwned? Far less likely with MAC. If the machine is exploited, minimal damage can be done.
• Need to restrict access from root to satisfy legal or policy requirements? Not possible with the outdated root = god model. It is possible with MAC.
• Want to restrict the permission a process has, instead of automatically granting it the same full permissions your user account has? Not possible on OpenBSD, possible with MAC. No, systrace doesn't cut it.

The industry is slowly heading in implementing MAC in some form, because DAC (Discretionary Access Control, the current standard) is simply inadequate. It's not all SELinux, Microsoft have Windows Integrity Levels where low privileged processes can't write to higher level processes, Ubuntu has AppArmor etc. The industry is heading in this direction because we realize that allowing all programs to have the full set of permissions equal to the user it is running as is not ideal.

The OpenBSD team stand out in their flat our rejection of the very idea, considering it to be too complex (does not have to bee, see SMACK, Tomoko or AppArmor), or horribly understanding it to the point they equate it with an ACL. IIRC Theo has said in several interviews it is basically security theater and not useful, which is just ignorant. Given they tend to actually ignore security vulnerabilities and argue rather than admit and fix them [coresecurity.com], the project doesn't seem that security focused to me.

Sorry, but I will take a fairly secure system that grants me the granularity to protect myself in the case of an attack, as opposed to a system which claims awesome security because it comes with almost no current software and nothing running by default.

Re:

[cinderellamanson]

If your webserver is compromised in a jail, can the webpages still be defaced? Yep. Not with a proper MAC policy.

For varying definitions of compromised, you mean? If the Sysadmin has deployed a detailed MAC policy.

Running third party software that the OpenBSD team did not audit themselves which gets pwned? Far less likely with MAC. If the machine is exploited, minimal damage can be done.

This is a good argument, but it's really hard to just say "Far less likely with MAC". This is always going to be the System Administrators responsibility. In fact all aspects of system security are going to be delegated to the system's managers almost immediately. This is the point where YOU need to decide if OpenBSD will suit your needs or become to complex to manage for your particular task.

Need to restrict access from root to satisfy legal or policy requirements? Not possible with the outdated root = god model. It is possible with MAC.

This is goofy,

Re:

[TheRaven64]

OpenBSD performance is not something they advertise, for good reason. If there's a trade between security and performance, they'll take security. The most noticeable example is the malloc() implementation. This is much more aggressive than any other that I've seen at returning memory to the kernel. This means that there are a lot more system calls being made by OpenBSD libc in any program that calls free() a lot and a lot more page churn (meaning more TLB misses). This hurts performance (about a 5-20%

Re:Have they decided to implement security yet?

[DiegoBravo]

From the article, about a "secure operating system":

> Generally, this would be taken to mean an operating system that was designed with security in mind, and provides various methods and tools to implement security polices and limits on the system.

Sadly most naive users still believe that security is about setting fine grained permissions, roles, resources and tagging system objects in general. In practice 1) security exploits simply bypass or reconfigure such validations or policies for their own purpose, and 2) getting a really good "fine grained" configuration and reconfiguration is pretty difficult, time consuming, and prone to error (i.e. to increase the vulnerability.)

Re:

[TheRaven64]

And there's a very good example of this. Windows NT has had fine-grained ACLs on every single kernel object (not just files - mutexes, sockets, processes - everything that the kernel is responsible for) since its creation. Until relatively recently, UNIX systems had a very coarse-grained security system; use/group/all permissions on files, no permissions on anything that wasn't a file (although a lot of things are in UNIX), one magic user that can bypass everything. Guess which one had more vulnerabiliti

Re:

[cbhacking]

This should definitely be modded higher. Fine-grained security controls don't matter if nobody uses them correctly, and they introduce increased complexity in the codebase that makes more room for bugs to creep in. By comparison, OpenBSD may be much less user-friendly in most ways, but its emphasis has been "real-world" security from the beginning, with heavy code audits and good security defaults. Even if its security model isn't as advanced as some others (Linux, NT), its implementation is far better in m

Re:BSD Troll-in-One

[Anonymous Coward]

To spare this section of all the trolls (yeah right!), I have incorporated every *BSD troll into this one message. Thank you.

The *BSD Wailing Song

What's left for me to see
In my ship I sailed so far
What can the answer be
Don't know what the questions are.
And after all I've done
Still I cannot feel the sun
Tell me save me
In the end our lost souls must repent.
I must know it is for certain
Can it be the final curtain
As long as the wind will blow
I'll be searching high and low.
Who knows what's really true
They say the end is so near
Why are we all so cruel
We just fill ourselves with fear.
And heaven and hell will turn
All that we love shall burn
Hear me trust me
In the end our lost sould must repent.
I must know it is for certain
Can it be the final curtain
As long as the wind will blow
I'll be searching high and low
Final curtain
Final curtain

• flask of ripe urine
  pressed to bsd lips
  bsd drink up

I don't want to start a holy war here, but what is the deal with you BSD fanatics? I've been sitting here at my freelance gig in front of a BSD box (a PIII 800 w/512 Megs of RAM) for about 20 minutes now while it attempts to copy a 17 Meg file from one folder on the hard drive to another folder. 20 minutes. At home, on my Pentium Pro 200 running NT 4, which by all standards should be a lot slower than this BSD box, the same operation would take about 2 minutes. If that.

In addition, during this file transfer, Netscape will not work. And everything else has ground to a halt. Even Emacs Lite is straining to keep up as I type this.

I won't bore you with the laundry list of other problems that I've encountered while working on various BSD machines, but suffice it to say there have been many, not the least of which is I've never seen a BSD box that has run faster than its Windows counterpart, despite the BSD machines faster chip architecture. My 486/66 with 8 megs of ram runs faster than this 800 mhz machine at times. From a productivity standpoint, I don't get how people can claim that BSD is a "superior" machine.

BSD addicts, flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to use a BSD over other faster, cheaper, more stable systems.

It is common knowledge that *BSD is dying. Almost everyone knows that ever hapless *BSD is mired in an irrecoverable and mortifying tangle of fatal trouble. It is perhaps anybody's guess as to which *BSD is the worst off of an admittedly suffering *BSD community. The numbers continue to decline for *BSD but FreeBSD may be hurting the most. Look at the numbers. The erosion of user base for FreeBSD continues in a head spinning downward spiral.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of BSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major marketing surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among hobbyist dilettante dabblers. In truth, for all practical purposes *BSD is already dead. It is a dead man walking.

Fact: *BSD is dying

It doesn't matter, no matter how many time you try to recesitate *BSD, it's just does

tl;dr

[Nimey]

too long; didn't read.

Re:

[gratuitous_arp]

It was funny =p

Re:

[DrXym]

A classic rant that is largely nonsense but does have a smidgen of truth. BSD's largest failing is that Linux was better at pushing people's buttons than BSD was. Linux has always felt dynamic, pragmatic and aggressive in pursuing new functionality whereas BSD is more laid back and feels like it is trying to preserve some archetypal Unix at the expense of progress. Over time that has meant that Linux has stolen an insurmountable lead. I think its very hard for something as large as BSD (in its most common

Re:

[jabjoe]

I think the BSD licence is why the BSD OS is where it is.

Re:

[inode_buddha]

If it's any indication, I met a BSD user at a 1998 LUG meeting, he had a full-on desktop with all the effects and audio going on a Dell laptop. So I imagine that if your hardware is supported (most likely) it should work fine. BSD has extensive documentation and lists of supported stuff. I'm a linux guy, so I really don't know more than that. Best bet is to just try it, IMHO.

Re:Audio on BSD?

[TheRaven64]

OpenBSD has gone down the userspace sound daemon route, with aucat. This is much simpler than something like portaudio and provides userspace sound mixing. I generally prefer the FreeBSD approach (fully working OSS 4 compatible, with high-performance low-latency kernel sound mixing), but the OpenBSD approach (like everything else in OpenBSD) trades a little performance for a lot more security.

Re:

[TheRaven64]

The opinions of 4Front are completely irrelevant to FreeBSD - their implementation of OSS 4 is independent of 4Front. 4Front does ship an OSS 4 implementation for FreeBSD, but it lacks per-channel volume control and AC-3 pass through while playing analogue audio, both of which are supported in the FreeBSD version.

Re:

[account_deleted]

Comment removed based on user account deletion