OpenBSD Journal

OpenBSD Journal

What security does a default OpenBSD installation offer? (by solene@)

Contributed by Peter N. M. Hansteen on from the no fault default dept.

In a recent blog post, OpenBSD developer Solène Rapenne (solene@) offers an over view of the security features offered by a default OpenBSD installation.

The first paragraph of the introduction reads,

In this text I will explain what makes OpenBSD secure by default when you install it. Do not take this for a security analysis, but more like a guide to help you understand what is done by OpenBSD to have a secure environment. The purpose of this text is not to compare OpenBSD to other OSes but to say what you can honestly expect from OpenBSD.

A worthy reminder of how the system works, and a very handy piece to show to anybody who wonders why one would choose to use OpenBSD over anything else. You can read the whole thing here.

dhcpleased(8) - DHCP client daemon

Contributed by rueda on from the we-are-pleased-too dept.

With the following commit, Florian Obser (florian@) imported dhcpleased(8), DHCP daemon to acquire IPv4 address leases from servers, plus dhcpleasectl(8), a utility to control the daemon:

CVSROOT:	/cvs
Module name:	src
Changes by:	florian@cvs.openbsd.org	2021/02/26 09:16:37

Added files:
	sbin/dhcpleased: Makefile bpf.c bpf.h checksum.c checksum.h 
	                 control.c control.h dhcpleased.8 dhcpleased.c 
	                 dhcpleased.h engine.c engine.h frontend.c 
	                 frontend.h log.c log.h 
	usr.sbin/dhcpleasectl: Makefile dhcpleasectl.8 dhcpleasectl.c 
	                       parser.c parser.h 

Log message:
Import dhcpleased(8) - a dhcp daemon to acquire IPv4 address leases
from servers.

Read more…

resolvd(8) - daemon to handle nameserver configuration

Contributed by rueda on from the where do names come from dept.

With the following commit, Florian Obser (florian@) imported resolvd(8), a daemon for handling nameserver configuration:

CVSROOT:	/cvs
Module name:	src
Changes by:	florian@cvs.openbsd.org	2021/02/24 11:10:41

Added files:
	sbin/resolvd   : Makefile resolvd.8 resolvd.c 

Log message:
Import resolvd(8), a daemon to rewrite resolv.conf.
prodding deraadt

Since the initial import, resolvd(8) has seen:

  1. some significant reworking
  2. improvements to the man page
  3. linking to the build

Read more…

OpenBSD booting multi-user on Apple M1

Contributed by rueda on from the seM1-opened dept.

Mark Kettenis (kettenis@) is teasing OpenBSD booting multi-user on Apple M1 hardware:

So OpenBSD boots multi-user on the new Apple M1 hardware.  This still
has some hacks in it that need to be fixed, so don't expect support
for this in the tree right now.  But a big thank you to those that
contributed to the pool for getting us some hardware.

[…]

See the full post for the dmesg.

Congratulations to all those involved!

Catchup 2021-02-13

Contributed by rueda on from the Puffyish kernel churn dept.

Recent noteworthy things commited to -current and not previously reported include:

  • [2021-01-26] Patrick Wildt (patrick@) continues work [with help from Mark Kettenis (kettenis@)] on supporting the Apple M1.
  • [2021-02-06] Solène Rapenne (solene@) blogged about using 2FA with TOTP.
  • [2021-02-08] Stefan Sperling (stsp@) added a RAID1C (raid1 + crypto) softraid(8) discipline.
  • [2021-02-09] Patrick Wildt (patrick@) added lldb(1) (for amd64 and arm64 platforms).
  • [2021-02-09] maxburst feature removed from tcp_output by Jan Klemkov (jan@)
    [2021-02-09] PF_LOCK() activated by Patrick Wildt (patrick@)
    [2021-02-10] Vitaliy Makkoveev (mvs@) moved UNIX domain sockets out of the kernel lock
  • [2021-02-11] Jonathan Gray (jsg@) upgraded libdrm to version 2.4.104, with changes to the relevant devices (see FAQ).
  • [2021-02-12] Otto Moerbeek (otto@) has requested testing/review of a patch enhancing malloc(3) "junking".

All in all, this looks promising for the upcoming OpenBSD 6.9 release!

BREAKING pf(4) change: change route-to so it sends packets to IPs instead of interfaces.

Contributed by Peter N. M. Hansteen on from the route me up before you go-go dept.

Does your pf configuration have route-to rules? If so, you need to consider the implications of this commit by David Gwynne (dlg@) carefully.

CVSROOT:	/cvs
Module name:	src
Changes by:	dlg@cvs.openbsd.org	2021/01/31 17:31:05

Modified files:
	sbin/pfctl     : parse.y pfctl_parser.c 
	share/man/man5 : pf.conf.5 
	sys/net        : if_pfsync.c pf.c pfvar.h 

Log message:
change route-to so it sends packets to IPs instead of interfaces.

this is a significant (and breaking) reworking of the policy based
routing that pf can do. the intention is to make it as easy as
nat/rdr to use, and more robust when it's operating.

This change is intended to make configuration and maintenance easier, but it runs a high risk of breaking existing configurations. Read on for the rest of David's commit message, with some background.

Read more…

OpenBSD KDE Status Report

Contributed by Rafael Sadowski on from the Vitamin K injections dept.

OpenBSD has managed to drop KDE3 and KDE4 in the 6.8 -> 6.9 release cycle. That makes me very happy because it was a big piece of work and long discussions. This of course brings questions: Kde Plasma 5 package missing.

After half a year of work, I managed to successfully update the Qt5 stack to the last LTS version 5.15.2. On the whole, the most work was updating QtWebengine. What a monster! With my CPU power at home, I can build it 1-2 times a day which makes testing a little bit annoying and time intensive.

But today we can be happy about an up-to-date KDE stack in OpenBSD. Currently - at the end of January - our stack is very up-to-date:

  • Qt 5.15.2
  • Qt Creator 4.14.0
  • KDE Frameworks 5.78.0
  • KDE Applications 20.12.1 (Almost everything!)
  • Kdevelop 5.6.1
  • Krita 4.4.2
  • KMyMoney 5.1.1
  • DigiKam 7.1.0

I try to keep KDE Applications 20.12.x stable until the 6.9 release.

Let's move on to the topic of KDE Plasma. The Plasma desktop and some other KDE applications have a strong dependence on Wayland. As long as there is no Wayland under OpenBSD, there will also be no KDE Plasma.

It can be observed that more and more KDE applications already prefer a strong dependency on Wayland. For example Spectacle.

In summary, no OpenBSD Wayland support, no KDE Plasma, and probably less and less KDE applications.

Donate!

Donate to OpenBSD

Features

We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

OpenBSD Errata

OpenBSD 6.8

0142021-02-24 SECURITY A sequence of overlapping IPv4 fragments could crash the kernel in pf due to an assertion.
0132021-02-03 RELIABILITY Various interoperability issues and memory leaks were discovered in libcrypto and libssl.
0122021-01-13 RELIABILITY Use of bpf(4) on a carp interface could result in a use after free
0112021-01-11 RELIABILITY When an NDP entry is invalidated the associated layer 2 address is not invalidated.
0102020-12-24 RELIABILITY smtpd's filter state machine can prematurely release resources leading to a crash.
0092020-12-08 RELIABILITY Process exit in multithreaded programs could result in the wrong exit code being reported.

Unofficial RSS feed of OpenBSD errata

XML/RSS/RDF

Users wishing RSS/RDF summary files of OpenBSD Journal can retrieve: RSS feed

Options are available.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]