OpenBSD Journal
Contributed by jose on from the ourland-security dept.
Taking a quick scroll through the OpenBSD Security page , it looks like this could be a record for the delay between a release and a security patch. This will probably jinx it, though. Note that a number of reliability fixups have been added to the -stable branch, so if you run that be sure to update.
(Comments are closed)
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]
By Noryungi () on
Is it due to things like ProPolice and/or W^X (sp?) or is it just that OpenBSD has reached a point, in its constant auditing, where most bugs have been found & corrected? Or maybe both?
Or is it (*shudder*) because not a lot of people use OpenBSD and most script-kiddies and serious security researchers have decided to attack something else, like Windows or GLiNUx?
Please note that this is not a flame or a troll, just an honest question... ;-)
Comments
By jose () on http://monkey.org/~jose/
OpenBSD has never taken the stance that a known bug is ok just because you have a mitigation layer. bugs get fixed. that's the story. example: privsep helped to mitigate the openssh bug, but it was fixed and the vulnerability noted.
the audit is wide reaching, but there are gaps due to human eyes, human limits, the limits of peoples' interests. plus we're always learning about new vulnerability classes. never mind the fact that the whole string cleaning may have introduced more bugs, it needs thorough testing.
and if anything the hacker underground is more interested in abusing OpenBSD as opposed to other targets because of the project's success (often mistakenly thought of as a boast of perfection). this has been going on for years.
we're far from perfect. i suggest new people start reading some code and start auditing. a lot of bugs lurk, some are security issues. it's a very worthwhile experience. honestly, start from the ground up: read some code, if you're not sure how a function works, read the library source, and make sure it's used correctly.
By Nate () nate@my-balls.com on mailto:nate@my-balls.com
OpenBSD has completely OMGWTFPWNED any and all other operating systems when it comes to not only stability but clean easy to understand mans.
I started using it at 3.0, and since then it has become my desktop at work and I am trying to get a dualboot for at home (still need to play video games of course). But looks like 3.3s doesn't yet work with my home machine.
If say OpenBSD were to make a few desktop specific pkgs that installed and configured stuff like WindowMaker, GNOME, or KDE and a few other "vitals" for desktop usage without requiring much thought, then you'd see more people using it and thus more kittie action. Unfortunately, some people don't get pkg_add idea.
Enough of my random gibbering.
A - OpenBSD is the best of the BSDs because it is most secure of them, I may even stretch to say stongest of the UNIX tree's offshoots. It has been audited enough that I can think this and know it's true.
B - If OpenBSD became more popular for desktop usage, then we'd see more problems, mostly based in other people's wares. Currently Open just doesn't have the pull of Linux, though I've know idea why.
Comments
By Charles E. Hill () charles.e.hill@comcast.net on mailto:charles.e.hill@comcast.net
1. The installer *looks* unfriendly and hard. Not that it is, it just looks it.
2. No decent-sized company behind it, and no major players providing support. You can get 24x7x365 support for Linux from HP, IBM, TRW and others.
3. No SMP support. (Okay, I saw the patches and announcement the other day, but I'm on vacation and not in front of an SMP machine to test. Besides, "one big lock" on x86 is the first step and can't compete with 8-, 16- or 64-way+ Linux/Solaris/AIX/HP-UP installs. No, clusters are NOT the answer to everything -- and many major clusters are clusters of DUAL-PROCESSOR systems. Some problems scale up much better than out -- not all, just enough.
4. Installing software RAID on a new system. God help you if you want to RAID-1 the boot disk. I haven't yet tried again with 3.3 but with 3.2 it was a nightmare.
5. Lack of marketing/mind-share.
On the bright side, if you are serious about stability and security then the hassles of OpenBSD are vastly outweighed by the benefits.
Comments
By Anonymous Coward () on
> Not that it is, it just looks it.
I really like it, I hope it'll never change..
> 2. No decent-sized company behind it, and no
> major players providing support. You can get
> 24x7x365 support for Linux from HP, IBM, TRW and
> others.
That's what your admin sys is for.
> 3. can't compete with 8-, 16- or 64-way+
> Linux/Solaris/AIX/HP-UP
You own a 64 way Linux box? Lucky b.
> 4. Installing software RAID on a new system. God
> help you if you want to RAID-1 the boot
> disk. I haven't yet tried again with 3.3 but
> with 3.2 it was a nightmare.
Raid the boot disk, how stupid.
> 5. Lack of marketing/mind-share.
I don't like redhat do you?
Comments
By RC () on
No, that's actually rather smart...
For anything reasonably important, you should have a duplicate just in case of hardware failure... That includes the boot disk. Or did you want to wait more than an hour while you setup your database server OS before you could use it again?
Comments
By Anonymous Coward () on
Comments
By Brad () brad at comstyle dot com on mailto:brad at comstyle dot com
By Charles E. Hill () charles.e.hill@attbi.com on mailto:charles.e.hill@attbi.com
Why?
True hardware RAID offloads the processing onto a separate chip, freeing up the CPU. Most also offer battery backed buffering RAM.
What benefit does this offer me? The server in question has redundant power supplies, each on their own battery-backed circuit and is in a building with a natural gas generator. I'm not worried about a power loss.
The CPU (1.7 GHz p-3) usually doesn't tick over past 40% utilization (medium-sized web/e-mail server). The HiFN-based crypto accelerator ensures CPU-hogging TLS/IPSec computations are handled smoothly.
By using inexpensive IDE drives (Western Digital 100 Gb w/8Mb cache) I was able to get software RAID-1 for minimal cost with blistering performance.
The T-1 connection to the Internet ensures that my bottleneck will be the network, not the CPU or drive I/O. This means hardware RAID and things like Ultra-SCSI are a complete waste of money.
What am I missing?
Comments
By Anonymous Coward () on
A brain.
Comments
By Anonymous Coward () on
LOL you better go inform Sun Microsystems about
what idiots they are... their lowest desktop
to their highest end n-way box all come
with software raid (metadisk aka open disk suite).
Their pre-installed os comes with it loaded and
just not configured.
Software *mirroring* works great, there's no
checksum to compute and it's cheap insurance,
which is what the original poster was talking
about. Hell, if you configure your bootaliases
from the eeprom properly, the system will
automatically failover to your backup on reboot.
The only danger you run is from not monitoring
your boot disks or uptime closely enough to
know that you are back to a single disk!
Comments
By marklar () marklar_@hotmail.com on mailto:marklar_@hotmail.com
Look at the procedures for replacing a disk with software RAID vs. hardware RAID.
Hardware: Disk fails, whip it out, plug new one in, rebuild happens.
Software: Disk fails, whip it out, plug new one in, log in as root, partition disk (format), create new metadbs, metareplace.
One can be done by almost anyone (ie. level 1 support), the other may require a trained Solaris admin (level 3 support) with security clearance and access to documentation.
I've been complaining to Sun about this for over 5 years, they tried low-end hardware RAID once (google for sun src/p) but never really got behind it.
I even tried telling them they had lost sales to M$ (which they had) and now to Linux (which they are), but they still don't seem to care.
Comments
By Brad () brad at comstyle dot com on mailto:brad at comstyle dot com
Comments
By marklar () marklar_@hotmail.com on mailto:marklar_@hotmail.com
Comments
By Chris () on http://www.anandtech.com/storage/showdoc.html?i=14
By Anonymous Coward () on
> Not that it is, it just looks it.
I really like it, I hope it'll never change..
> 2. No decent-sized company behind it, and no
> major players providing support. You can get
> 24x7x365 support for Linux from HP, IBM, TRW and
> others.
That's what your admin sys is for.
> 3. can't compete with 8-, 16- or 64-way+
> Linux/Solaris/AIX/HP-UP
You own a 64 way Linux box? Lucky b.
> 4. Installing software RAID on a new system. God
> help you if you want to RAID-1 the boot
> disk. I haven't yet tried again with 3.3 but
> with 3.2 it was a nightmare.
Raid the boot disk, how stupid.
> 5. Lack of marketing/mind-share.
I don't like redhat do you?
By Nate () nate@my-balls.com on mailto:nate@my-balls.com
4. Software RAID? Shit man.
By Clint () no@spam.com on mailto:no@spam.com
Comments
By Nate () nate@my-balls.com on mailto:nate@my-balls.com
The problem as I said, was that people don't want to think for setting up the desktop. They want to say "Windows-like" and magically get everything there is they could ever want in one fell swoop, without needing to know to type anything. "Unfortunately, some people don't get pkg_add idea."
By Non-Shortsighted Coward () on
Nonsens
1) Best is subjective. Security is not always important.
2) It depends on your goal. You really think OpenBSD is the best on the playstation2 arch? Think again.
Here comes the disclaimer for all the stupid people who think black vs. white: i love OpenBSD on x86/alpha for the from my point of view *right* purpose but i also love other OSes for a right purpose. Nuff said. EOF.
Comments
By Anonymous Coward () on
"Security is not always important."
when is it not important? the better-being(security) of *anything* is *always* important.
"You really think OpenBSD is the best on the playstation2 arch?"
care to prove why it wouldn't based on its technical merits?
Comments
By Charles E. Hill () charles.e.hill@comcast.net on mailto:charles.e.hill@comcast.net
when is it not important? the better-being(security) of *anything* is *always* important.
"You really think OpenBSD is the best on the playstation2 arch?"
care to prove why it wouldn't based on its technical merits?
1a. When it is my physically secure, single-user machine, not connected to a modem or the Internet.
1b. When nothing of value is stored on or accessed by the machine (e.g. a Playstation or game machine).
2. Yes. Can OpenBSD do 3D hardware accelerated rendering on the PS2? Do you care about security on a machine that all the programs are stored on non-writable media and is rarely if ever connected to a network? Even those connected to a network, except for "save files" which are of questionable value, what is the issue?
OpenBSD is great, but you sound like the man with a hammer who thinks everything is a nail. OpenBSD is not the answer to every computing problem.
Comments
By Nate () nate@my-balls.com on mailto:nate@my-balls.com
1b. Just because nothing very important is stored there does not mean it's not nice to have a good system running on the hardware. Bugs are still bothersome.
2. If there were a reason to run OpenBSD on the PlayStation 2 hardware, it could be ported based on the NetBSD code. But there is no reason for any operating systems other then the two released by Sony to run on the PlayStation 2, they were made specifically for that hardware.
This is not hammer to nail thought, this is just that stability and cleanly coded stuff is more important to some then to others.
I can't stand Linux or Windows for their poor up times and instability. I've only seen one of more then four hundred Linux boxes run longer then a year, I've not seen a Windows box last longer then two months.
Comments
By Alejandro Belluscio () baldusi@hotmail.com on mailto:baldusi@hotmail.com
Don't give to Linux for RedHat and bad administrators sins. I remember using a RH 6.2 that kept powering off automatically (fsck APM) even though I had installed it a as a berbone server. I had to manually un init the APM daemon and yat if by mistake I run lunuxconfig it would came back from the dead.
But when using Debian or Gentoo then ther's hardly a problem with the system. The uptimes were cut when I had to upgrade kernels (which given its shackyness its very common). But the reliability was high.
Anyway if you actually applied all the patches to your OBSD you should have rebooted every realease until this one, which give a not so high upper bound on uptime of six monthes. And you evidently haven't used VLAN, which until 3.3 were unbelievable unstable. It would panic from an ifconfig. And no, it was not the lack ability of the operator.
Comments
By Brad () brad at comstyle dot com on mailto:brad at comstyle dot com
By Anonymous Coward () on
Physically secure? Including electromagnetic radiation, including disposal of the unit? Personally, i prefer to use an OS and encryption i trust. Oh, you should also include "on which i never ever make any mistakes".
1b. When nothing of value is stored on or accessed by the machine (e.g. a Playstation or game machine).
Value is subjective. Is your time valuable? The more secure a server, the less time spent resolving security issues. Additionally, making a device 100% unable to access anything of value would be quite difficult. Do you live in a farraday cage?
Do you care about security on a machine that all the programs are stored on non-writable media and is rarely if ever connected to a network?
Yes. Non-writable is one thing, non-accesible another. There exists data i would rather not have people reading. Since PS2 is the hardware, it should be noted that there exists code game designers would rather not have gamers access. You're thinking Integrity, but Confidentiality and Accountability can be important too.
Sure you can cover all the bases and come up with a situation in which security is not important, but that situation is so impractical that it doesn't matter.
Is security always the most important aspect? Probably not.
Is OpenBSD always the best from a security standpoint? Probably not.
Is security never important? Yes, in some hypothetical case that has little to no bearing on the real world.
By Anonymous Coward () on
Look dude just because you can't think of an example 'when it is not important' does NOT mean that nobody can think of such example nor that everyone should run OpenBSD because it's the best solution for everything. It f*cking ain't!
If you want an example: my friends' satelite received which runs Linux. WHY should it run OpenBSD? You can only get access by breaking in his house.
"care to prove why it wouldn't based on its technical merits?"
Technically it doesn't run on PS2.
Comments
By Anonymous Coward () on
Is there a reason why it shouldn't?
"Technically it doesn't run on PS2."
you did not address the question which was; "care to prove why it wouldn't based on its technical merits?"
if the PS2 required SMP(which it does not), then it would have no place in the PS2. however, saying "Technically it doesn't run on PS2" is not evidence that the PS2 can not take advantage of OpenBSD, you only state the obvious.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
No bloating thanks. I like my sugar with coffee and cream.
By Eric Z () EchoZebraAtZebraFiveSevenDotCharlieOscarMike on mailto:EchoZebraAtZebraFiveSevenDotCharlieOscarMike
Today's set includes:
- Command execution vulnerability in dvips
- Updated unzip packages fix trojan vulnerability
- Updated fileutils package fixes race condition in recursive operations
- Updated file packages fix vulnerability
- Updated unzip packages fix trojan vulnerability
So if these problems affect RedHat Linux, they probably affect the same programs in other Linux distros or even other OSs. My question is - Are the libraries the OpenBSD provides helping to immunize OpenBSD from the obvious holes using legacy I/O functions without error checking?
If the team (or deadly) doesn't broadcast info about bugs, does that mean they're not an issue? or does it mean they haven't been addressed yet? I hope it's the former.
By Anonymous Coward () on
*crosses fingers*
By Anonymous Coward () on
email misc@ and demand patches! dont take no for an answer.
w/foghorn: What do we want?
disgruntled nerds: PATCHES!!
w/foghorn: When do we want them?
disgruntled nerds: NOW!!
lather, rinse & repeat
By Markus () on
I'm not so sure on the 'only use the patches' approach anymore.
Thanks.
Comments
By schubert () on http://schubert.cx/
So the definition of "important" is in the eye of the beholder. And the beholder is the developers of course.
Its kind of funny though, people trust that they do a damn good job auditing and creating features but then they call into judgement what should patches be released for :-)
By Noob () on
But ya, the previous post was totally true about stable. Things like the ports tree and sometimes specific things that get included in base I think can really be important sometimes.
By dantams () on
Comments
By Noob () on
By Brad () brad at comstyle dot com on mailto:brad at comstyle dot com
By jkm () joakim@aronius.com on mailto:joakim@aronius.com
I update my source by CVS every night and check what has been updated, but i beleive it could be handled better. Maybe a dedicated mail list for all updates to the two supported STABLE branches. Or publish a complete list of all updates to the STABLE branches on openbsd.org. Today one has to do cvs to find out that a file has been updated and then go to source by web and dig out that file to see the comments.
Its not a problem for me or any other more or less experienced user but i think this is an issue that makes the obsd learning curve a little steeper.
By psxndc () on
-p
Comments
By Henry () on
Comments
By psxndc () on
-p
By psxndc () on
-p
PS reporting to include [omitted text]
Comments
By Anonymous Coward () on
Comments
By psxndc () on
Duh! I wasn't thinking that way. So theoretically, I can configure sendmail/SMTP behind my firewall (so I don't have to worry about people trying to get into it by blocking port 25), use the "From" of my POP3 account, and I should be all set. Jiminy Christmas!
Thanks AC. You've made my night.
-p
Comments
By Tony () on
By psxndc () on
-p
Comments
By seymore () on
Use fetchmail to fetch the mail from your ISP. All machines internal to the network connects to your SMTP/POP3 server to send/receive mail.
Just my 2c...
By Anonymous Coward () on
Just a random thought...
Comments
By Henry () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
If you can't connect to *any* remote SMTP servers, sending mail will be a problem, since SMTP is *the* Mail Transfer Protocol of the Internet... :-/
By Anonymous Coward () on
By psxndc () on
So now I can connect and everything is for the most part ok. I still can't get sendmail configured on my iBook correctly to use the smart host (it still tries connecting directly which still times out), but I can route everything through RCN's servers, so no big whoop. Thanks everyone for your suggestions.
-p
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By Tony () aschlemm@comcast.net on mailto:aschlemm@comcast.net
Comments
By Noob () on
gnu/usr.bin/ld/rtld/rtld.c
lib/libpthread/uthread/uthread_kill.c
lib/libpthread/uthread/uthread_sig.c
libexec/ld.so/sod.c
sbin/isakmpd/ipsec.c
sbin/pfctl/parse.y
sbin/pfctl/pfctl_parser.c
sys/conf/newvers.sh
sys/crypto/cryptodev.c
sys/dev/ic/cac.c
sys/dev/ic/siop.c
sys/dev/ic/sti.c
sys/dev/pci/pcidevs
sys/net/pf.c
sys/netinet/if_ether.c
usr.bin/ssh/compat.c
usr.bin/ssh/compat.h
usr.bin/ssh/kex.c
usr.bin/ssh/scp.1
usr.bin/ssh/sftp.1
usr.bin/ssh/ssh-add.1
usr.bin/ssh/ssh-agent.1
usr.bin/ssh/ssh-keyscan.1
usr.bin/ssh/ssh-keysign.8
usr.bin/ssh/ssh.1
usr.bin/ssh/ssh_config.5
usr.bin/ssh/sshd_config.5
usr.bin/ssh/version.h
usr.sbin/dhcp/dhclient/dhclient.c
You can read the commit message for each file in the Source by Web option at http://www.openbsd.org to see what the change was for.
By OpenBSD user () on
That's not an objective metric, because you are not taking into account the rate of vulnerabilities elsewhere in the community, nor looking at whether those other vulnerabilities fail to exist in OpenBSD because of OpenBSD's proactive security management. There could be many other explanations.
Still, as an OpenBSD user and fan, I'm very pleased, and the history fo OpenBSD shows that it is more security robust than other systems.
By Anonymous Coward () on
Comments
By Gerardo Santana Gómez Garrido () santana@openbsd.org.mx on http://www.openbsd.org.mx/~santana/
http://www.openbsd.org.mx/~santana/binpatch.html
I made some for 3.1 and 3.2 on i386, but since we (OpenBSD México) moved to another server I haven't made them available yet.
If you need binary patches please mail the OpenBSD Team, so I can get support to deliver trusted binary patches.
By James () on http://www.quelrod.net
Comments
By Tony () aschlemm@comcast.net on mailto:aschlemm@comcast.net
I will also add that just because I roll my own release doesn't mean I wouldn't mind some sort of online update facility that would allow me to download updated kernels and other software and have them installed for me automatically.
By Anonymous Coward () on
By djm () on
If the OpenBSD developers were doing this it would mean more work to setup and run - work that would come out of hacking time.
By RC () on
Want binary patches? Feel free to make them. Anyone could publish the binaries from the source patches they compile... If there's so much demand, why isn't anyone doing it yet?
Comments
By Anonymous Coward () on
Which is why recently I replaced an openbsd webserver-dmz box with a debian box. An improved security OS is useless if you dont have time to do updates.
Comments
By Anonymous Coward () on
2) Pay a junior minimal wages to patch your
boxes. :)
3) Address why you are so busy that you can't patch a box. See points 1 and 2, might help.
4) Setup a system that creates binary patches for you, if you have enough servers to make it worth it.
This is UNIX not Windows. There is no hand holding. If you want to ditch a quality and secure OS like OpenBSD for a trivial reason, it's your own loss. No one cares if you switched to Debian. Probably should keep that to yourself in the future so you look less stupid.
By Anonymous Coward () on
On account of the whole openbsd development effort & extended user base, I would like to express our profound & sincere regrets for issuing important updates while_you_happened_to_be_busy.
We fully agree that this was rash and unduly prepared for and we sincerely regret any inconvenience this may have caused you in your busy schedule.
Please rest assured that this matter has been investigated and dealt with promptly, however it is only fair to inform you that the fault did not lie directly with us, but with a junior outsourced partner who has since been forced into premature bankruptcy by our legal team.
So sleep tight knowing that everything has been taken care of for you! We do!
Oh and by the way, next time you reincarnate, please remember to ok the brainTM option on your confirmation dialog box.
Thank you,
OBSD Customer Satisfaction Commitee
Comments
By Anonymous Coward () on
I was simply stating a position from my experience.
I full well know that I could spend some time developing some software to handle the mundane but important task of system patch administration. Or spend money I dont have on a grunt to do my work. Its a shame though that this task is not as straight-forward on openbsd as it is on debian. Why duplicate development effort with such a common task.
Regardless I still use openbsd for tasks I feel its best at, and contribute my donation (CD purchase periodically) to the openbsd core. I've also been around long enough to know the core doesn't care, and does what it feels is best.
By djm () on
Comments
By Anonymous Coward () on
4hours even on a 1.2g athlon + another 2hours for make release
then you have to copy the .tgz and un tar them on all your boxes
By jacob () on http://www.openbsd.org.mx/~santana/binpatch.html
create binary patches that you can distribute to
your other obsd boxen.
One i've enjoyed is the binpatch project.
if you trust em (i've used em since they started
and find it very conveinient for my boxes
without compilers installed),
just grab the patches that they publish on their site:
http://www.openbsd.org.mx/~santana/binpatch.html
By Anonymous Coward () on
http://www.openbsd.org/pkg-stable.html
Yea, yea, i know that doesn't count as 'default install' or 'base install'. Nevertheless, when you use Ports it's wise to keep in touch with this:)
By Igor () non@e.net on mailto:non@e.net