OpenBSD Journal

BSD: The Other Free UNIX Family

Contributed by jolan on from the one-article-to-cover-them-all dept.

Over at InformIT, they're running an article entitled, "BSD: The Other Free UNIX Family". It's a run-of-the-mill BSD round-up article which is a little better than what I've seen in the past. Of course, this doesn't mean that it isn't without any inaccuracies and exaggerations. (How many did you find?) On a lighter note, I particularly liked this line from the article:

"The superb documentation available in the BSD community tends to make people who ask questions that are easily answered very unpopular. It is common for a question posted about a BSD system to be answered with a one-line reply instructing the asker to read the manual, This is good advice; the answer is usually there."

Quite a positive spin on the typical misc@ behavior, eh?

(Comments are closed)


Comments
  1. By Anonymous Coward (202.6.138.33) on

    The OpenBSD version of Apache, for example, runs in a chroot jail by default, so attackers who compromise Apache cannot do anything other than break the web server—they can’t even modify the contents of the web site on disk.

    And where is the contents of the web site, if not in the jail (disregarding database contents)?

    Comments
    1. By ptomli (82.152.46.31) on

      $ ps aux | grep httpd
      www      32318  0.0  0.5  1920  4776 ??  Ss    Fri06PM    0:07.35 httpd: parent [chroot /var/www] (httpd)
      
      $ grep www /etc/group
      www:*:67:
      
      $ ls -l /var/www/
      total 36
      drwxr-xr-x  2 root  daemon   512 Sep 10 22:15 cgi-bin
      drwxr-xr-x  2 root  daemon   512 Jan 26 18:18 conf
      drwxr-xr-x  3 root  daemon   512 Jan 26 18:19 htdocs
      drwxr-xr-x  3 root  daemon  3584 Sep 10 22:15 icons
      drwxr-xr-x  3 root  daemon   512 Jan 26 18:14 lib
      drwxr-xr-x  2 root  daemon   512 Jan 27 18:38 logs
      drwxr-xr-x  2 root  daemon   512 Jan 26 18:17 tmp
      drwxr-xr-x  2 root  daemon   512 Sep 10 22:15 users
      
      No write permissions. Of course, you're free to break this behaviour if you like. Out of the box, Apache running chroot doesn't have permissions to write to it's chroot jail.

      Comments
      1. By Anonymous Coward (67.140.135.200) on

        "This stringent checking is nice, but it applies only to the base system. Any third-party applications installed are not checked. To help reduce the problems, OpenBSD includes a number of security features." What?????? Someone clarify this please. Third paragraph on this page.

        Comments
        1. By Anonymous Coward (165.254.210.2) on

          The security audits only cover the stuff included in the base install. Packages and ports aren't generally auditted by the OpenBSD team. But things like ProPolice, W^X, etc. help protect against errors in ports/packages.

          Comments
          1. By Amir Mesry (63.144.61.175) on

            Well some of the packages/ports are patched before being made available, so some auditing is done, but not to the level the OS gets.

        2. By Clay Dowling (12.37.120.99) clay@lazarusid.com on http://www.ceamus.com

          You'll find that if you read the subsequent paragraphs on that page the statement is explained quite well. The core OS has a lot of features that catch buggy behavior and make exploitation harder.

          That in fact is one of my favorite things about OpenBSD. If I do something dicey in my code, it's more likely to crash than let me skate. I consider this a huge advantage.

      2. By Anonymous Coward (202.6.138.33) on

        Ok, fine. So how is this different to a non-chroot apache running as user www?

        Comments
        1. By ptomli (82.152.46.31) on

          man 8 httpd

          "As a result of the default secure behaviour, httpd cannot access any objects outside ``ServerRoot'' - this security measure is taken in case httpd is compromised."

          So even if someone manages to break httpd, not only can they not alter the contents of the sites served by httpd, but neither can they access anything else on the system. With non-chroot installations, this would allow a compromised httpd to read files outside ServerRoot, say /etc/passwd, /etc/fstab, /etc/rc.conf*

          Comments
          1. By Anonymous Coward (66.11.66.41) on

            Which has absolutely nothing to do with the dumb statement in the article, or the question you replied to. Apache already can't change the website because of permissions. This is not particular to openbsd, nor does it have anything to do with chroot.

            Comments
            1. By ptomli (82.152.46.31) on

              I think you didn't understand the quotation as it was intended to be understood in its original context. The bold in the quotation from the article was not placed there by me.

              The emphasis below, which I did add, is probably more relevent to chroot than that of the original AC.

              The OpenBSD version of Apache, for example, runs in a chroot jail by default, so attackers who compromise Apache cannot do anything other than break the web server—they can’t even modify the contents of the web site on disk.

              chrooting httpd doesn't add anything with respect to the httpd process not being able to alter content within ServerRoot, but it does add greatly to reducing the risk to the system should httpd be compromised.

              Comments
              1. By ptomli (82.152.46.31) on

                On second thoughts, chrooting httpd probably does add to the security of a httpd not being able to write to its ServerRoot.

                If httpd has access to suid <some-user> executables outside of ServerRoot then there is increased risk that those suid executables may be compromised and used to, among other things, alter the contents of ServerRoot.

      3. By Anonymous Coward (202.45.99.224) on

        so how does it write to /var/www/logs which it can do just fine by default if it cant write to its chroot jail?

  2. By No word about DragonflyBSD? (212.129.63.1) on http://www.00f.net

    "The BSD family", but absolutely nothing about DragonflyBSD?

    Comments
    1. By Christian Kellermann (153.96.175.185) on

      Obviously you have not read the article. It clearly mentions Dragonfly BSD

    2. By Anonymous Coward (68.106.232.57) on

      How much recognition does a recent derivative of FreeBSD really need?

      I get that they have some major changes in their tree, but is DragonFlyBSD really so differentiable from FreeBSD at this point as OpenBSD is, or NetBSD?

      And what if a project forks from DragonFlyBSD; now we suddenly have to consider UsedToBeDragonFlyButNowWereNotBSD another unique member of the BSD family?

      I hear there's an opening for Yet Another Linux distro. 300+ isn't enough there. Maybe the BSDs should set a similarly high goal.

      Comments
      1. By sthen (81.168.66.229) on

            but is DragonFlyBSD really so differentiable from FreeBSD at this point as OpenBSD is, or NetBSD?

        I think so. They're going in quite a different direction to other BSDs - it's definitely a lot more than just an 'updated FreeBSD 4' as it might appear at first glance if you install it and take a quick look at the system.

      2. By Anonymous Coward (142.166.105.108) on

        IMHO DragonFlyBSD is already sufficiently different from FreeBSD to merit any recognition it gets. I expect it will have a very small user base for some time yet (even by OpenBSD standards) but that doesn't make it any less valid. Matt Dillon brought a fair amount of credibility with him when he started the project, and I'm optimistic great things will come from it. Sadly though, I don't see how much of it can be borrowed for OpenBSD, but maybe that is just my limited imagination.

        Comments
        1. By Anonymous Coward (165.254.210.2) on

          They're contemplating a move to OpenBSD's malloc: Link.

    3. By Anonymous Coward (213.196.249.198) on

      DragonFly BSD is mentioned. MirBSD is missing, though.

      Comments
      1. By Anonymous Coward (66.11.66.41) on

        Do we really need to pretend every dumbass who runs his own locally broken openbsd has created their own bsd?

        Comments
        1. By Anonymous Coward (212.234.204.97) on

          It depends of who is the dumbass :)

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]