Contributed by jolan on from the one-article-to-cover-them-all dept.
"The superb documentation available in the BSD community tends to make people who ask questions that are easily answered very unpopular. It is common for a question posted about a BSD system to be answered with a one-line reply instructing the asker to read the manual, This is good advice; the answer is usually there."
Quite a positive spin on the typical misc@ behavior, eh?
(Comments are closed)
By Anonymous Coward (202.6.138.33) on
The OpenBSD version of Apache, for example, runs in a chroot jail by default, so attackers who compromise Apache cannot do anything other than break the web server—they can’t even modify the contents of the web site on disk.
And where is the contents of the web site, if not in the jail (disregarding database contents)?Comments
By ptomli (82.152.46.31) on
Comments
By Anonymous Coward (67.140.135.200) on
Comments
By Anonymous Coward (165.254.210.2) on
Comments
By Amir Mesry (63.144.61.175) on
By Clay Dowling (12.37.120.99) clay@lazarusid.com on http://www.ceamus.com
That in fact is one of my favorite things about OpenBSD. If I do something dicey in my code, it's more likely to crash than let me skate. I consider this a huge advantage.
By Anonymous Coward (202.6.138.33) on
Comments
By ptomli (82.152.46.31) on
man 8 httpd
"As a result of the default secure behaviour, httpd cannot access any objects outside ``ServerRoot'' - this security measure is taken in case httpd is compromised."
So even if someone manages to break httpd, not only can they not alter the contents of the sites served by httpd, but neither can they access anything else on the system. With non-chroot installations, this would allow a compromised httpd to read files outside ServerRoot, say /etc/passwd, /etc/fstab, /etc/rc.conf*
Comments
By Anonymous Coward (66.11.66.41) on
Comments
By ptomli (82.152.46.31) on
I think you didn't understand the quotation as it was intended to be understood in its original context. The bold in the quotation from the article was not placed there by me.
The emphasis below, which I did add, is probably more relevent to chroot than that of the original AC.
The OpenBSD version of Apache, for example, runs in a chroot jail by default, so attackers who compromise Apache cannot do anything other than break the web server—they can’t even modify the contents of the web site on disk.
chrooting httpd doesn't add anything with respect to the httpd process not being able to alter content within ServerRoot, but it does add greatly to reducing the risk to the system should httpd be compromised.
Comments
By ptomli (82.152.46.31) on
On second thoughts, chrooting httpd probably does add to the security of a httpd not being able to write to its ServerRoot.
If httpd has access to suid <some-user> executables outside of ServerRoot then there is increased risk that those suid executables may be compromised and used to, among other things, alter the contents of ServerRoot.
By Anonymous Coward (202.45.99.224) on
By No word about DragonflyBSD? (212.129.63.1) on http://www.00f.net
Comments
By Christian Kellermann (153.96.175.185) on
By Anonymous Coward (68.106.232.57) on
I get that they have some major changes in their tree, but is DragonFlyBSD really so differentiable from FreeBSD at this point as OpenBSD is, or NetBSD?
And what if a project forks from DragonFlyBSD; now we suddenly have to consider UsedToBeDragonFlyButNowWereNotBSD another unique member of the BSD family?
I hear there's an opening for Yet Another Linux distro. 300+ isn't enough there. Maybe the BSDs should set a similarly high goal.
Comments
By sthen (81.168.66.229) on
I think so. They're going in quite a different direction to other BSDs - it's definitely a lot more than just an 'updated FreeBSD 4' as it might appear at first glance if you install it and take a quick look at the system.
By Anonymous Coward (142.166.105.108) on
Comments
By Anonymous Coward (165.254.210.2) on
By Anonymous Coward (213.196.249.198) on
Comments
By Anonymous Coward (66.11.66.41) on
Comments
By Anonymous Coward (212.234.204.97) on