Slashdot Mirror
OpenBSD Interview: Strengths, Tradeoffs And Plans
Duke of URL writes: "Boardwatch interviewed OpenBSD contributor Louis Bertrand. It's an excellent article about OpenBSD's niche and mission. They discussed the continued code audit, OpenSSH, and future version plans, including SMP development, ports rework, and continued integration of IPv6. Journalist Jeffrey Carl does a good job of pointing out OpenBSD's strengths and tradeoffs."
The byte produced by MicroSoft word is actually in the range 0x80-0x9F. The real Unicode character would be greater than 0xFF. The official Unicode spec says these are the "C1 control characters". MicroSoft has actually invented non-standard meanings for these bytes, since it was much easier than supporting UTF-8 to get these symbols into their 8-bit programs.
However I would not be too hard on MicroSoft, because:
This "C1 reserved area" is an ancient back-compatability hack to avoid accidentally producing control characters on systems that strip off the high bit. We should not be making stupid standards just for back compatability with obsolete equipment!
MicroSoft has used these values to encode typographic symbols that real people really, really, want!. They did not use them for more obscure letters. This encoding serves far more people than almost any of the Unicode pages.
NetScape and Unix still stink when handling UTF-8. They just display question marks. At least MSoft displays a square box, and it even correctly displays all codes that are in the 0-0xff range or are in the Symbols character set.
I very much recommend that the Linux/Unix/Unicode world swallow their pride and adopt the MicroSoft assignments for the characters in the range 0x80-0x9F as part of the Unicode standard, and that everybody (X and the console) fix their fonts to display these characters as soon as possible!!!
I would complain though about MicroSoft's "smart" quotes. It changes apostrophe into a single-close quote character. This is wrong, they should leave it an apostrophe. This breaks all search engines and keywording of files! The text ``this isn't quoted'' should display as ?this isn't quoted' on NetScape, not ?this isn?t quoted?.
I have a dual boot machine with OpenBSD on the first drive and Linux on the second. This reflects our server setup - a combination of Linux database servers and OpenBSD webservers. As the connection to our ISP is awful and I'm only blessed with one development machine, I do all programming and testing on the one machine.
I've found OpenBSD to be an excellent alternative to Linux. The install is quick - just follow the instructions carefully the first time - and the man pages are very good.
As a reflection of OpenBSD's stripped down philosophy all I have installed above and beyond the core OS is:
NEdit (statically linked against Lesstif)
Gimp (development version and required libs)
Blackbox window manager
Netscape (the BSDI version - seems far more stable
than on any other platform I've used it on)
Chris Wareham
Excerpt:
The funny thing is that this page actually renders properly on my Netscape for OS/2, the #1 victim of the embrace&extend strategy...
You posted this same article four times. Yet no matter how many times you say "FreeBSD is in very deep trouble," you say absolutely nothing to support that claim. In fact, the FreeBSD team seems in better shape than it has been in ages, and their latest release, 4.0, shows it. The NetBSD and OpenBSD groups both show more life and vigor than they have in a long time.
It's all a bit like a dog who keeps returning to sniff his own vomit--both your SPAM-posting and this obsessive need you, like some others, seem to have to keep revisiting the whole Theo flame-fest. The whole incident is long in the past, but you just have to keep coming back to sniff at it. (Alas, this same behavior is shared by some of the BSD folks--including some of the participants--but fortunately many of them have been able to turn their differences into a positive force, creating useful technical distinctions and not just meaningless personal ones.)
I suspect that your real motivation is contained in your need to see BSD as somehow "losing." Losing what? This is free software. OpenBSD, FreeBSD, and NetBSD aren't companies who must maintain market-share or go under--nor is Linux, for that matter. They aren't sports teams or rock bands. They don't need to cannibalize each other's user base to survive. They are all developed by teams that are actually quite a bit more stable and harmonious than most commercial software development teams (where the average developer lasts a bit over a year). They really don't need cheering sections, especially ones composed of gossips nattering away like old ladies over personalities.
BSDI is an interesting case, given that they've just had a little encounter with the Open-Source freight train. Although I know it rankles many BSDI fans to hear it, I'm sure that more than one customer has been asking themselves why they should pay thousands of dollars for BSD/OS (or whatever BSDI is calling it thse days) when they can get FreeBSD/NetBSD/OpenBSD for free? Well, they are now beginning the process of merging their system with FreeBSD and changing their business model to something more along the lines of a Red Hat. But even then, the fortunes and misfortunes of BSDI are only peripherally related to the success of BSD in general.
The general trends are positive ones. Not only is there the BSDI/FreeBSD latchup, but sharing among the three free BSD's has been increasing, and although it might be a little while before it's reflected in marketing surveys, interest in BSD is on the rise (in part because of the Linux explosion, and in part because of the success of BSD users such as Yahoo!).
Things might be grim in your little neck of the woods. But they look pretty bright in mine.
Myself, I tend to be one of the aforementioned fascists, so in the past I've installed a version of su that's wheel group-aware.
Now, you can enable 'wheel group only' behavior with PAM.
I hate to give you crap on this, as a sysadmin, I feel your pain, but....
;-( ;-(
after about 2 yrs being on the net (public email/web/cgi/ssh/sql services being run), I was broken into 3 times. each time it costed me a lot of effort and pain. plus downtime. and even lost files
It just sounds like your using the wrong software. Linux is not the most Secure OS out of the box, but if you work with it, it can be very secure.
One problem I notice is that people use the same crappy bug ridden buffer overflow software all the time. I am still amazed that anyone runs sendmail, wu-ftpd or bind (Well, bind is the only choice in DNS). How many exploits are there for just these three packages? Sendmail is the worst of all time.
What people need to do is black list bad software. Get X amount of security problems in previous versions, use different software. I won't touch sendmail since it has such a poor history of security. So what do I use? qmail! Same story for wu-ftpd. I use proftpd (Yes, they had an overflow in a beta, but it was only for writeable directories) since it is pretty secure. And for bind? Well, I am waiting for the author of qmail to finish up his DNSd package so I can use that. Until then, I keep an eye open on the mailing lists for the next bind exploit.
Linux O Muerte!
Ya, that is the one I was talking about. I just could not remember the name. Shame on me since I am such a qmail fan.
Linux O Muerte!
I forgot to add in all of this, D.J. Bernsteins explanations of how things work are some of the best. Just check out the qmail documentation and the TinyDNS FAQ's on how things work. Its just nice to see someone make good quality software and documentation.
Linux O Muerte!
Wow!
What a bunch of children! I have alway heard of the NetBSD breakup as being pretty petty, but posting is quite clear on thing. They need to grow up.
I think this is why Linux is so hot. Just about everyone in the kernel development is pretty damn cool. Linus is a real 'net personality. In fact, I saw a long interview with him and his wife on Finish TV and was quite impressed with how nice and down to earth he and his wife is. Alan Cox and the other major contributors are also seem very nice. I have had email conversions with some of them and they seem to be down to earth people (Ya, I know its email, everyone sounds like that).
This may not sound like much; "Big deal, who cares if they are nice". When your getting started into something you have never done before, you would like people to be alittle friendly, even if they are not helpful. Sounds silly, but have you ever done something, in an area, where the people who also did it were assholes? Didn't think so.
For example, I wanted to try out FreeBSD a couple of years ago, but all the FreeBSD people talked crap about Linux and Linux people. Everything was, "X is better in FreeBSD than X in Linux.", "Linux sucks...blah blah blah". Worst of all, they were plain ole' dickheads. That kept me from trying out FreeBSD for a couple years until I had to for work. Now I work in a FreeBSD shop, and now I like FreeBSD, I just hate FreeBSD people.
Linux O Muerte!
This is ridiculous. While I have no doubt at all that OpenBSD is a far more secure OS than Linux, I think the implication that you will be hacked if you are running Linux vs. OpenBSD is silly.
I am responsible for a dozen Liunx machines on the Internet (i.e., there is no firewall between us and the kiddies) and a couple of AIX boxes too. No sooner had our Linux boxes gone online than I had dozens of attacks each day. But by proper use of tcpwrappers and some commonsense security checks, we have yet to be broken into. As a matter of fact, i have found tcpwrappers to be quite a deterrent. Most people just give up an go away.
Now I am sure that some determined bastard (or bitch) could take us out if they really wanted. And I am sure that their job would be much harder if we ran OpenBSD instead. But your inability to properly secure your boxes under Linux does not mean OpenBSD is the correct solution. Especially if you are wasting a processor in an OpenBSD box.
REAL old-school UNIX hackers don't use vi, they use ed. ed is the ORIGINAL, and still the standard, UNIX editor.
Compared to ed, vi is Office2000.
</PEDANTIC>
Glückwünsche, haben Sie Slashdot ermordet, indem Sie zum korporativen Druck beugten und Subskriptionen einlei
> Straight off, I get the message that this user is not in the appropriate group to su to root.
That is a *feature*, not a bug. Next time, put your "normal" user in the "wheel" group. Then, you'll be able to su just fine.
> I mean, how difficult would it be for the installer to list the services, (with all of them
> off by default) and let you choose which ones to install?
My first take on this is, "not hard". But, then I think a little deeper. If you do this, then a lot of clueless folks will do "enable everything", and you're back to square one. Best if you treat a Unix box like a Unix box, and learn what risks you take *before* opening yourself up to them.
> Or even to ask what normal user accounts should be in the admin group?
At install time, what "normal" user accounts does it know about? IIRC, it doesn't ask you to set up a normal user account - it assumes that you will know to do that (though it's been a good while since I've installed it - though I run it every day - so my memory may be Swiss cheese).
--Corey
Not only will they not deserve liberty or safety, Mr. Franklin, they will be DENIED both!
Eh. Who cares?
Quite simply, as long as the OpenBSD project stays true to its goals of a proactively secure open-source OS, I don't care if Theo eats children for breakfast and breaks the legs of people in nursing homes for fun. As long as it doesn't affect the code, I'm all for it.
"That's Tron. He fights for the Users."
I recently downloaded and installed OpenBSD on one of my machines. While I'll be the first to admit that I didn't work as hard as I could have at it, it still seemed to me to be completely paranoid. For instance, on my own machines, the first thing I do is create my user account, and then finish the setup by suing from there to root. (part of my setup on machines is to compile/install the necessary services, and I like having the source code owned by me, so that I can look at it without being a privelaged user). Straight off, I get the message that this user is not in the appropriate group to su to root.
All in all, the machine seemed overly paranoid, and completely unworkable for a normal user.
Reading the article, I discovered that I agree with most of their viewpoints (I think that limiting yourself to non-SMP because SMP hardware is more expensive is asinine - the power users are the ones most likely to need this kind of OS), but the hoops they make one jump to get a usable system are a pain. I mean, how difficult would it be for the installer to list the services, (with all of them off by default) and let you choose which ones to install? Or even to ask what normal user accounts should be in the admin group?
Basically, I guess that I just want to say, I admire the idea behind their software, I just really don't like the way that they implemented it.
Yes, I use OpenBSD because of its benefits. And I respect de Raadt's technical abilities. But his interpersonal skills leave a lot to be desired.
In first grade, they called this "Does not play well with others".
"You can never have too many elephants on your team."
How is this any different from Microsoft who blames all of Window's problems on the user fuqing up?
A deep unwavering belief is a sure sign you're missing something...
I'm sorry, I can't give an exact reference and I don't have time to look now. But I remember a recent /. thread where there was references to MS blaming users on doing something wrong being a reason why NT was unstable. Weak evidance,I know, but if you look you can probably find something.
A deep unwavering belief is a sure sign you're missing something...
I am barely out of the ranks of newbies, but the text based install for OpenBSD does the job very well if you take the time to read what is asks of you. Also, print out the main FAQ and install stuff, or have it up on a browser on a pc next to you.
The partitioning took me a couple tries, but once I got that straightened out, I was happy with it. Once I got OpenBSD up, I had KDE up very quickly via their (limited compared to FreeBSD) ports collection.
Later that summer, I figured since this was a laptop, I ought to have the more populist FreeBSD installed so I would have increased access to ready made ports. Well, I had a helluva time getting KDE and XFree going on this Thinkpad, so from my history, I think the OpenBSD install is cleaner than FreeBSD's.
I still have FreeBSD on my laptop, and am running a OpenBSD box doing NAT at home. I really love the clean design of OpenBSD on servers- whats there is probably there because everyone uses it, but you are going to have to learn to activate it (sendmail as a daemon, for example) so you don't leave yourself wide open.
matt
wheel group only this isn't a major issue, you could /bin/su ; chgrp wheel /bin/su
/dev/dsp on my linux box, works pretty nicely.
1. patch it
2. use the OpenBSD su, or other similar su
3. chmod o-x
Option 3 is what I use for
There IS more then one way to do it.
Definitely NetBSD/pc532 :) Good luck finding a machine to run it on; less than 200 boards were made.
Manual pages just aren't enough.
They can be, when they're good. For cases when they aren't the OpenBSD FAQ and the mailing list archive will solve nearly any problem.
And, they're all located at one place: http://www.openbsd.org
The HOWTO's aren't supplimentry anymore, they are *standard* documentation.
Only when "standard" means often outdated, scattered across a thousand websites, and lacking real detail on anything but the common case.
OpenBSD docs used to be spotty, but they made a real effort to bring them up to speed, and keep them there.
The Linux community has yet to make this effort.
with openbsd, named runs as NON ROOT so I don't really have to worry much.
--
--
"It is now safe to switch off your computer."
yet I was hacked thrice. not sure what gives, but I just got tired of it.
not saying that linux is a Kiddie magnet - but if they portscan and find linux-like environments, they're more likely to hack it since linux is one of the most INSECURE unix's out there (IMHO, of course).
all I can say at this point is: if you run linux and don't religiously follow the *security* groups (most folks don't have that kind of spare time), then you ARE at risk. same with freebsd, too; I don't think its all that much more secure than linux.
--
--
"It is now safe to switch off your computer."
Secure-Linux is a Linux kernel patch that adds nifty security features, which eliminates many, if not most, buffer overflow attacks. I tested this with one of the ProFTPd exploits, and indeed, the exploit failed against a known vulnerable version of ProFTPd. Without the patch, the exploit worked.
Psionic PortSentry detects and responds to port scans in real time. It works with other Unixes as well.
With these tools, the standard ipchains stuff, and a willingness to not run *every* daemon under the sun, you can have a reasonably secure Linux box.
Also, to throw those k1dd13z for an extra loop, put all this on linuxppc. Let 'em chew on that for a while...
New XFMail home page
/bin/tcsh: Try it; you'll like it.
- Faster. OpenBSD is slow on my boxes.
- Better hardware support.
- SMP
- Better commercial app support.
- Generally, easier install.
There are a couple of pages out there that describe products, but no downloadable distros. This sounds to me like a great market for someone to "do a mandrake" in.--
-- Slashdot sucks.
I just installed it tonight for the first time. The disk setup was a tad cryptic, but the documentation rocks, as long as you know what to look for. It was so clear I almost wanted to cry.
(BTW, where are the preconfigured firewall and gateway scripts installed by default?)
But I agree the article wasn't really that great.
This sig is false.
Shine on, you crazy diamond.
First of all, relax. There's no need to be so defensive. Nobody's saying that your favorite OS sucks! :) A compliment for OpenBSD is not (necessarily) a criticism of Linux.
So, umm, this sounds like words of support for OpenBSD, because that's what OpenBSD does by default (do any Linux distributions take this approach?). It would be *a lot* of trouble to go around downgrading all of the critical network daemons on a Linux distribution to get it secured down (not to mention the time spent finding the last "secure" version of those daemons). Just because someone hasn't broken into a system yet, does not mean that the system is secure! ;)
Yes, it pretty much does. What you don't look for, you probably won't find. ;) For software of any significant size and complexity, unless you actively look for security holes (or bugs in general), chances are they exist. That said, it doesn't mean that Linux is grossly insecure, but it does lag behind OpenBSD in the security arena a bit.
OpenBSD 2.5 and FreeBSD 3.2 (the two distributions that I happen to have in front of me at the moment, which also happen to have been released around the same time) both shipped with the exact same version of sendmail (8.9.3). The difference? On FreeBSD, sendmail is eneabled by default (as I assume it is on most Linux distributions as well, but it has been a long while since I have administered one of those, so I can't speak for any of them).
On OpenBSD (/etc/rc.conf):
sendmail_flags=NO
On FreeBSD (/etc/defaults/rc.conf):
sendmail_enable="YES"
(actually, a quick diff of the source files shows that they are not exactly the same -- looks like some extra type casting and bounds checking has been added)
Don't get me wrong here, I love FreeBSD (and Linux), but this illustrates the point that Louis Bertrand is trying to make: if I had no knowledge of the security issues surrounding sendmail, the default would be for my OpenBSD system to be "secure" (in that regard) and my FreeBSD system to be potentially less so. I have plenty of other things to worry about than how secure every single network daemon on my system might be, and there is some comfort in knowing that the OpenBSD folks have already done a lot of that work.
-- Anony Mouse
p.s.i on=exploit&vid=1006i on=discussion&vid=1078
http://www.securityfocus.com/vdb/bottom.html?sect
http://www.securityfocus.com/vdb/bottom.html?sect
# echo 'SboPshAeaM@rSicPocAheMt.SnePt' | sed -e 's/[SPAM]//g'
OpenBSD is absolutely the choice for me. Sure it has some problems, any SW product will. But with OpenBSD I get a relatively secure environment right from day one. I don't need to have our admins spend weeks implementing bolt-on's to make the environment fairly bulletproof. The only disapointment I have using OpenBSD is that it is very basic. However that is one of the things that our admins love about it. Less bells and whistles means less stuff to break.
More race stuff in one place,
than any one place on the net.
after about 2 yrs being on the net (public email/web/cgi/ssh/sql services being run), I was broken into 3 times. each time it costed me a lot of effort and pain. plus downtime. and even lost files ;-( ;-(
so I decided to give openbsd a try. so far, its doing what I need it to. I'm wasting a dual BX board on openbsd (it does not have SMP like linux does; which is what my previous o/s was) but I'll exchange computes for secure computes anyday.
the way I see it is: if you're inside a protected region (inside the company firewall where there are no 'bad' people to screw you over) then linux on the desktop seems to rule for me. but for any kind of public box, the Kiddies all know about linux and its weaknesses. I'm not sure they know much about openbsd. and even if they did know about it, there's few (if any) open holes they could crawl thru.
today, I'm being ultra paraoid. I'm not running cgi's anymore, no networked sql, and I even dumped sendmail for qmail. so on my site, its qmail and ssh - THAT'S IT.
only time will tell - but I feel much better already, knowing that there has been a controlled audit of the openbsd code.
--
--
"It is now safe to switch off your computer."
Are you good enough to be a security admin?
Part of the problem is too many people just installing some packaged software, which they picked for reasons related to how many other clueless people picked it, and they expect it to be rock solid secure as installed without any configuration or tuning. They also expect top notch performance.
If you want security, then you have to understand security, or you have to get something that is guaranteed to be secure right from the box, or hire someone who knows security (and please, no whining about lack of technical people when technical people are still looking for decent jobs where their employers respect their skills). OpenBSD probably is the most secure system available right now, as installed, although even I would not trust it without looking under the hood.
A system/network security expert can make most systems secure (even NT if enough information can be had). Businesses have to commit to the attitude of security and trust a security expert to set it up for them. If you can't trust someone, then you better pull the plug on that internet connection right now (and probably also fire all your employees).
now we need to go OSS in diesel cars
It's good to see something like this in an interview, though:
Many Linux distros are great for a catch-all, newbie-friendly OS, whereas most BSD's (I've heard, I haven't used any of them extensively) feel more like a traditional Unix out-of-the-box.
(*please*, no "*BSD is Unix, Linux is not blah blah blah" comments. Because they're free, they both have *no* official "Unix" code, it was taken out of *BSD, and was never in Linux, but they share the same kernel interface, which is good enough for me)
For a Linux alternative, use FreeBSD. For other platforms, use NetBSD. If you like the way Linux does things, use Linux. Need security? Run OpenBSD. Want media/SMP goodies and a pretty interface? Get BeOS. etc., etc., etc.
They all have their niches, and *advocacy* involves recognizing that, and using the tool that's right for the job. So it's good to see some real BSD advocacy.
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
or weaknesses of OpenBSD.
:P .. it's slow as hell.
:P
I installed it for the first time about 3 weeks ago, and I can't believe how much I love it. (I use linux as my workstation, and work on AIX, Solaris, etc.)
Everyone talks a lot about how secure it is, but that doesn't help anyone who actually wants to USE it. If you're wondering how useable it is, the answer is, "very!"
I would say its strengths, as far as a server OS, are:
1) Tiny, tiny footprint. Full server install w/out X windows is like 100 MB.
2) Nice, full man pages.
3) It comes with a ton of preconfigured firewall and gateway scripts, along with a ton of info on what they do.
4) It, by default, emails you every day with info on what's going on on your system. This is the type of thing most sysadmins spend their first four or five months writing for Slowaris/AIX/etc.
5) It has GREAT networking support. Tunnels, VPN, etc, etc are right there ready to rock from the word 'go.'
6) It really does only run a tiny set of services on startup. I think it starts with like, 6 processes, by default. That's a very nice base from which to build.
7) Ports rock my little world. They make life very, very nice.
On the downside:
1) The install is amazingly terrifying the first few times. If you don't know what partitions are, if you don't understand hard drive geometry, don't even bother with OBSD. Get FreeBSD and install it a few times first. It follows the same concepts, and has a more clear explanation of what's going on.
2) The filesystem sucks raw ass. Even mounted noatime and.. whatever else the other mount option is to make things faster..
That's pretty much the only bad things I'd say aobut it. I _love_ it as a firewall OS, and I might use it as a web server or something.. The FS performance scares me.
All in all, the article was lame, as far as explaining why anyone would use OBSD.
--
blue
i browse at -1 because they're funnier than you are.
I have been meaning to play with OpenBSD for quite some time now, and finally decided to deploy it on my gateway/firewall which had been running RedHat 5.2 for the past two years. From all that I had read, this seemed to be the perfect application of OpenBSD. The install went very smoothly and I was very impressed by installation/sysadmin documentation available on the openbsd web site. The only install problem was my 2gig SCSI disk, of which only 1 gig was recognized. This was no big deal, as 1 gig was plenty, but this is aparently a known limitation of OpenBSD and some drives/BIOSs.
The first thing I noticed was that the openbsd firewall code is lacking all the plug-ins for mangling complicated protocols like irc, realaudio, quake, etc. Even the use of non-passive ftp required the use of a proxy. This wasn't a big deal for me since I don't use any of these, but I know that many linux users would see this as a big problem.
A day or so after my install, I noticed that througput on my cable modem was just really sucking to some sites, and I could not connect to others at all. I figured this was a problem with the cable service, which has actually been quite good for me. After jacking my laptop directly into the cable box, I realized that there was nothing wrong with my net connection and that the openbsd machine was fubaring the connections.
No problem, I'll post to the openbsd mailing list and see what the problem is. I got several replies that I must have something configured improperly. No, said I, the system is virtually stock, and I get excellent throughput to most sites. After much bitching, someone eventually notified me that the NE2000 device driver had known problems. So I replaced the cards with 3c509s (don't laugh, it's all I had on hand) and most of my problems went away. Thanks guys, if you had *told* me the driver was buggy, I could have saved myself a few days of headaches.
I say *most* of my problems, because I had very similar problems with the 3c509 cards, although they were not nearly as bad. Eventually, I was able to get someone to admit to the fact the the 3c509 driver was buggy as well.
Needless to say, at this point I was quite pissed as I had lost several days of work debugging and swapping hardware. I don't mind the fact that there are bugs in free software, but what really pissed me off was the fact that (1) the cards were listed as being supported (2) there was absolutely indication of problems with the drivers for these cards in any of the documentation when in fact they had been reported my many people before me and (3) the attitude of the people on the openbsd mailing list who outright assumed that because things were not working that I had done something wrong.
I'm sorry, but it was a terribly souring experience for me, and I am not likely to go back any time soon. In all fairness, however, I must say that openbsd performed flawlessly for 2-3 weeks aside from the problems I had with device drivers. In mentioning this to other people, I almost always got the response, "Yeah, the openbsd drivers suck." Perhaps I was just terribly unlucky. Who knows...
As an addendum, I switched back to Linux and my machine has been very happy ever since. There's a lot of stuff I don't like about Linux (design and implementation) but I really must concede that things Just Work(TM) a remarkably large percentage of the time. And perhaps more importantly, I have been much more impressed by the attitudes and helpfullness of people in the Linux community. I don't always get the right answer to questions I post, but I usually get enough to be helpful...
And finally, to the Openbsd people who happen to stumble across this message, I do hope that you will take my comments as constructive criticism, for that is how they are intended.
-p.