OpenBSD Journal

OpenBSD Journal

OpenBSD's pledge(2) and unveil(2) are developer-friendly, study finds

Contributed by Peter N. M. Hansteen on from the pledge+unveil for much goodness dept.

Academic studies of OpenBSD's features and their practical impact on security are somewhat rare, but we were pleasantly surprised to see the recent paper A Measurement Study on the Adoption of Pledges and Unveils in the OpenBSD Operating System, by Jukka Ruohonen, Krzysztof Sierszecki, Abhishek Tiwari (all at University of Southern Denmark).

The paper studies the adoption of the pledge(2) and unveil(2) in the OpenBSD base system and packages over time, and finds that the features provided actually seem to facilitate adoption of secure coding practices.

The paper's abstracts concludes,

All in all, the measurement results indicate that the adoption of system call minimization and sandboxing techniques is not necessarily as troublesome as has often been discussed in the literature.

The full text of the paper is available too, as PDF, HTML, or TeX source, for your advocacy use and pleasure.

OpenBSD/amd64 kernel virtual address space is now 512GB

Contributed by Peter N. M. Hansteen on from the where-would-sir-like-his-640kB? dept.

We almost missed this in a flurry of commits by Jonathan gray (jsg@), but following this commit, OpenBSD/amd64 kernels now have a 512GB address space.

The commit message innocently reads,

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Jonathan Gray <jsg () cvs ! openbsd ! org>
Date:       2026-06-22 0:27:33
Message-ID: 162f075352ec66cd () cvs ! openbsd ! org

CVSROOT:	/cvs
Module name:	src
Changes by:	jsg@cvs.openbsd.org	2026/06/21 18:27:33

Modified files:
	sys/arch/amd64/include: vmparam.h 

Log message:
raise the size of amd64 kernel virtual address space from 4G to 512G

Read more…

syslogd(8) privileged and non-privileged parts now separate binaries

Contributed by Peter N. M. Hansteen on from the logged, separately dept.

In OpenBSD, the syslogd(8) system logger has already for a while now fork(2)ed the privileged from the non-privileged parts.

Now Alexander Bluhm (bluhm@) decided it's time to split these parts into separate binaries in order to provide even better separation. The final commit message reads,

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Alexander Bluhm <bluhm () openbsd ! org>
Date:       2026-06-11 15:41:33

CVSROOT:	/cvs
Module name:	src
Changes by:	bluhm@cvs.openbsd.org	2026/06/11 09:41:33

Modified files:
	usr.sbin/syslogd: Makefile privsep.c syslogd.c syslogd.h 
	etc/rc.d       : syslogd 
Added files:
	usr.sbin/syslogd: Makefile.inc parent.c 
	usr.sbin/syslogd/parent: Makefile 
	usr.sbin/syslogd/syslogd: Makefile 

Log message:
Provide a separate executable file for syslogd parent.

Read more…

Random relinking at boot comes to httpd(8) and smtpd(8)

Contributed by Peter N. M. Hansteen on from the the joy of relinking dept.

Random order relinking of critical components is an OpenBSD feature specifically designed to make it harder to exploit bugs in the resulting binary. sshd(8) was the first of the network-facing daemons to get the random treatment (see this previous report).

Now in a series of commits that split one daemon (smptd(8)) into six separate binaries, Theo de Raadt (deraadt@) is bringing httpd(8) and smptd(8), both common in network facing configrations, into the random relink at boot fold.

httpd(8) was the first of the two:

Read more…

Donate!

Donate to OpenBSD

Features

We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

OpenBSD Errata

Unofficial RSS feed of OpenBSD errata

OpenBSD 7.9

0032026-06-02 RELIABILITY In vmd(8), fix a variety of crashing bugs and misbehavior of -b flag.
0022026-06-02 RELIABILITY Fixes for a variety of crashing bugs in smtpd(8).
0012026-06-02 SECURITY Multiple vulnerabilites in the X server dri2, sync, saver and Xkb extensions.

OpenBSD 7.8

0392026-06-02 RELIABILITY In vmd(8), fix a variety of crashing bugs.
0382026-06-02 RELIABILITY Fixes for a variety of crashing bugs in smtpd(8).
0372026-06-02 SECURITY Multiple vulnerabilites in the X server dri2, sync, saver and Xkb extensions.
0362026-05-08 SECURITY In iked(8), address sizes were not checked.
0352026-05-08 RELIABILITY Due to insufficient checks in NFS server, the kernel could crash.
0342026-05-08 SECURITY libexpat uses more entropy to protect against hash flooding. CVE-2026-41080

XML/RSS/RDF

Users wishing RSS/RDF summary files of OpenBSD Journal can retrieve: RSS feed

Options are available.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]