OpenBSD 3.2 Readies For Release, pf Matures

An anonymous reader writes "Just over a year ago, OpenBSD creator Theo de Raadt ripped ipfilter out of the OpenBSD code leaving "the world's most secure OS" temporarily without a packet filter. Here's an interesting interview with Daniel Hartmeier, author of pf, the stateful packet filter developed as a replacement. Now just over a year old, it sounds like pf has already become a serious contendor in the world of stateful packet filtering. This interview is of particular relevance with OpenBSD 3.2 to be released on Friday, 11/1."

so is there a packet filter or not?

[meshko]

Is it me, or is this story confusing? They took ipfilter out, but there is pf, so how is it without packet filter?
And what's up with that "the most secure os" sarcasm? OpenBSD *is* secure.

Re:so is there a packet filter or not?

[aridhol]

When they took ipfilter out, OpenBSD didn't have a packet filter. In order to address this issue, pf was written. After pf was written, OpenBSD had a packet filter. There was a time, after ipfilter was removed, but before pf was added, that OpenBSD didn't have a packet filter.

Re:so is there a packet filter or not?

[a+(+h+3+r+0+n]

The reasons for ripping IPF out of OpenBSD are documented elsewhere, but what it basically boils down to is a licensing issue. Darren Reed, author of IPF, changed its license to something incompatible with the stated goals of OpenBSD, so it was removed. Daniel (incredibly) came up with a replacement in record time. The 3.2 release boasts a lot of things, besides improvements to PF. These includes things like a nonexec stack, a chrooted apache, a reduction in the number of setuid binaries, and more 'secure' filesystem mount options by default. Theres no sarcasm implied, I'm sure. OpenBSD truly IS among the most secure operating systems in the world.

Re:so is there a packet filter or not?

[jbolden]

OpenBSD truly IS among the most secure operating systems in the world.

I think its probably fairer to say something like, "OpenBSD truly IS among the most secure Unixes in the world". There are fundamental security flaws with Unixes that run very deep which prevent it from being really really secure. Look at an OS like Z-OS or Eros to see how much further security can go when you break from Unix security flaws like:

- The existence of a filesystem
- Having any individual have much real authority over the system ....

Re:so is there a packet filter or not?

[Trusty+Penfold]

you break from Unix security flaws like:
- The existence of a filesystem
- Having any individual have much real authority over the system ....

That sounds really bloody useful ... I can't do anything with my computer; and even if I could there's nothing I could do it to.

If you don't mind, I'm off to assert my authority over some files now ( TieMeUp.Jpg doesn't know what is has coming!)

Re:so is there a packet filter or not?

[jbolden]

A lot of very high end stuff runs on systems with distributed administration (like most of America's transaction processing, accounting, etc...) Back in the late 70's - early 80's capability systems were a huge percentage of the market.

You don't need a file system to have data -- for an example you are likely familiar with think of palm OS. Data is just stored in internal program specific data structures and "swapped" out of ram to disk. The important thing is that the disk is just a bunch of sectors with a zillion different data formats; but to understand the organization of the date requires running the system which imposes the security model...

Re:so is there a packet filter or not?

only the -current development branch was lacking a packet filter. obviously the stable branch and existing installations still had a functioning packet filter implementation. also note that ipf patches were made against OpenBSD CVS after theo pulled it, provoking a somewhat amusing debate on misc@.

Re:so is there a packet filter or not?

no, there was not. OpenBSD 2.9 included ipf as the packet filter. OpenBSD 3.0 and 3.1 included pf and lacked ipf.

Re:so is there a packet filter or not?

at the other end of this envelope is Bell Labs' Plan 9 which carries the UNIX principle that states "everything is a file" to the logical extreme while distributing privileges sanely, unlike UNIX with its all-powerful root. apparently this system runs a significant portion of the telephone systems in the US, at least. the design principles are sound, anyway; witness Sun's Trusted Solaris and the DARPA-funded TrustedBSD project.

Re:so is there a packet filter or not?

Basically the license said that if you applied security patches to ipfilter and openbsd that it gave the author of ipfilter permission to install any software he wants on your computer and to take control of any media you may have (DRM)

Re:so is there a packet filter or not?

[afidel]

but to understand the organization of the date requires running the system which imposes the security model.

NO, that would simply be security through obscurity which does not work. Any modern capabilities based OS would have strong cryptography at its core so that you could not access those data items that you do not have a key to. In fact a cool way to do it (not sure if this is done in any real system) would be to have 2 keys, one for the runlevel and one your private key which is protected by your login, that way you could not access things outside your runlevel and you could not access other data in your runlevel unless it was explicitly given permission to you by using your public key (think ACL's but the creator of the data would have to add your key to the files encryption)

Re:so is there a packet filter or not?

[jbolden]

Cryptography is obvious. The problem is how do the apps get their keys? If you have a file system then the keys are stored in some file and so someone else can get the keys....

OTOH if the app stores the key in memory and is always running (though possibly swapped out) then you don't have any problems with storing keys securely.

Remember capabilities are useful but you also have to secure the system against someone just taking the hard drive out.

As for your ideas with dual keys it is done (hate to mention this) but for example Palladium uses that strategy (though they don't call it run levels)

Re:so is there a packet filter or not?

[Waffle+Iron]

That sounds really bloody useful ... I can't do anything with my computer; and even if I could there's nothing I could do it to.

I don't know about Z-OS, but I've read a little about EROS. EROS doesn't need a filesystem. That's because everything in EROS is persistent. The system saves a complete snapshot of its virtual memory to disk every couple of minutes. There is no "rebooting" of the OS. If you pull the plug, it comes back up exactly in the state of the last snapshot.

For me, it took a little while for that concept to sink in. They're saying that there's no need to redundantly keep information in permanent storage and volatile storage. Just make it all permanent, and you don't need the filesystem concept at all. In one step, you eliminate whole classes of bugs (parsing, file permissions, sharing files, filesystem namespace problems, etc.)

Their authority model also makes sense. Think of your system as a large building. Normal OSes treat security like doors with electronic badge readers; you're allowed to do things based on who you are. Naturally, a lot of doors must be programmed to let you through if you're going to get around the building to do your work. It's hard to ensure that each person is never able to get into a room that they shouldn't be in.

EROS is more like a building full of unique old-fashioned key locks. You have no automatic authority to go through any door. You must obtain the individual key for each door. You get these keys on an as-needed by the people in various rooms you interact with as you do your work. Each person with keys to hand out individually determines if you are worthy to go through the next door.

Reading up on EROS really expanded my view of how an OS could work. You can check it out at www.eros-os.org.

Re:so is there a packet filter or not?

[dvdeug]

Look at an OS like Z-OS or Eros

Which sites are run off of these operating systems? Which organizations run these operating systems? Or are they merely theoretically secure, with little use under fire?

Having any individual have much real authority over the system ....

Back to real life, short of hard cryptography, one individual usually has complete access to everything on the system. If I can run another OS on the system, I can copy or change anything and everything. Without custom hardware or always having to have someone else with the admin in the computer room, sooner or later the admin will get the chance to boot into god mode and do as he wills.

Re:so is there a packet filter or not?

[Sunner]

The reasons why openbsd.org doesn't run on an OpenBSD box are documented in the FAQ, but I guess that's just too much reading for some people.

Go troll somewhere else.

Re:so is there a packet filter or not?

[popeyethesailor]

Z-OS is the latest in the series of operating systems for IBM Mainframes, which I would assume are run by quite a few organisations.

While it's true that one may not come across a Mainframe-based webserver on the internet, they still rule the datacenters, and are generally considered pretty secure.

Re:so is there a packet filter or not?

[dazdaz]

Out of the box yes, however don't forget that it must be security hardened after the install to get the full merits of OpenBSD's hardness.

Re:so is there a packet filter or not?

[jbolden]

People have already commented that pretty much every major organization runs Z-OS :-) As for Eros its based on the ideas of Multics which were used by many organizations as well as the US Army for secure computing. Until recently (late 70's-95) the direction was away from security and this was the period where Unixes thrived. Its only with the pervasive internet and the desire to create systems robust enough to handle constant attack from hostile users that security is making a strong come back.

Anyway as for cryptography; cryptography itself doesn't solve your problem. Where are the keys stored? If they are stored on hardware you can pull the keys off pretty easily by just picking your data; if they are stored in a hardware / software mix then the software component can be taken off by a root user.

That's why no filesystem is important. Sure you can boot into god mode using some other OS but you won't be able to understand the data since the data itself is owned by applications the cryptograhy keys are mixed at multiple levels... In other words to get to the data you need to boot the OS and then you get the OS's security. The box in a raw form can't extract the application specific data, so god mode doesn't do you any good.

Re:so is there a packet filter or not?

[dvdeug]

Where are the keys stored?

In the only safe place: the users' head.

In other words to get to the data you need to boot the OS

You could have said that about NTFS, before the Linux NTFS filesystem. If software took it apart, then software can put it back together - if necessary, take the OS, remove all security code, and boot that.

Re:so is there a packet filter or not?

[Lozzer]

Is what you are describing really true? Your talking got a little bit fast in the last paragraph. If I can boot in another operating system I can see all the data on the disk (Having no filesystem is just a red herring - the data is still there). The machine will bootstrap through normal BIOS procedures (at least in EROS which is i386 based). So I can follow all the code through.

The question then arises as to whether when the code wants to check for its first key, whether I can get that key or not. I'd wager that if booting EROS normally, someone has that key then I'd be able to get the same key when shadowing from a separate operating system

In other words what you say smacks of security through obscurity, though feel free to show me otherwise.

Re:so is there a packet filter or not?

[Shanep]

In the only safe place: the users' head.

I have a .45 semi-auto that can remove even those keys, one way or the other. They can either come out of their mouth or fingers, or then theres the other option, splattering those keys all over a wall. ;)

Re:so is there a packet filter or not?

[arkanes]

Maybe your analagy is just bad, but I'm not sure how a central key authority is inherently any more secure than a distributed one. If I get this right, you "knock" on the door and see if the person inside lets you in. This sounds very much to me like object level security permissions, which isn't really any different than file-level permissions. One of the reasons why we invented things like group level permissions was because of the administrative nightmare associate with individually coding security into every object, so I don't see how this is really a gain...

Re:so is there a packet filter or not?

[jbolden]

Think more like the virtual memory system then the NTFS filesystem. The data to interpret the filesystem isn't stored in a truly fixed place in a regular manner.

As for encryption stored away from the system; any data that the system itself can't access might as well be public you don't need security for that kind of data.

Re:so is there a packet filter or not?

[jbolden]

I'll grant you can rip the disk out and copy and image. I'm not trying to argue you can't get to the disk. Its the "red herring" I'm arguing is helpful. Because once you get the disk image what does that get you? You have disconnected blotches of data encrypted in a range of ways and stored in applications specific ways. Pretty nasty stuff.

I agree there is some obscurity involved but essentially this amounts to the computer equivelent of encryption + shredding. That's pretty yucky to deal with. Yes with infinite time and money you can beat it but...

Re:so is there a packet filter or not?

[evilviper]

Bull. OpenBSD is a blank slate, it is as secure as you choose to make it.

If you want to set all your programs to run as root, you can do that, though it will not be secure.

If you want to run your services as non-privlidged users and seriouly limit it's permissions, you can do that as well.

If a service needs root pormissions, you can go the way of OpenSSH, and give it privlidge seperation.

You can have any system in place that you want. The only common denominator in 'Unix' is it's method of most everything being a file or a system call. So, unless you believe that something like printf() or /dev/null is exploitable, you really can't use a blanket statement that Unix systems are flawed.

Root's privlidges can be shared, and then you can make it so no one can login as root. And I fail to see how having a filesystem leads to insecurity.

Re:so is there a packet filter or not?

[dvdeug]

Think more like the virtual memory system then the NTFS filesystem.

And you dump the virtual memory, I can piece it together. First you find the kernel, then the page and process tables, and then you can put the rest together without much trouble.

Re:so is there a packet filter or not?

[jbolden]

Agreed. If you go to that much trouble (i.e. multiple application specific file systems / data systems) you can get the data out. Any security can be broken given a large enough quantity of the product of:

inside knowledge * time * money

the goal is just to boost that figure :-)

Re:so is there a packet filter or not?

[dvdeug]

Any security can be broken given a large enough quantity of the product of: inside knowledge * time * money

the goal is just to boost that figure :-)

But standard cryptography, given a secure password, achieves more security, without changing all the base rules.

Re:so is there a packet filter or not?

[Lozzer]

All you are saying is given code and data that people can't reverse engineer. This is blatantly not true. Now because EROS is not mainstream there won't necessarily be any script kiddie tools to help you out, but we aren't talking the kind of infinite time and money scenario here, we're not even talking the long time that encryption gives you, unless there is some reason why its not just (albeit hard) reverse engineering.

Now whether EROS and a physical security policy is more secure, or easier to secure than another OS and a physical security policy is a different argument.

Poppycock!

[Mr_Icon]

Codswallop, January 11th is a Saturday!

Re:Poppycock!

[Ctrl-Z]

What exactly is wrong with a Saturday release?

Re:Poppycock!

[Skyfire]

(Yes I know this is offtopic) Speaking of which, does anyone know why the US uses MM/DD and everywhere else uses DD/MM? And please don't use the typical "Because USians give a rats ass about the rest of the world" (even though its true)

Re:Poppycock!

because it makes more sense. month, then day. increasing specificity.

but then they go fuck it up and put the year at the end.

it should be: year, month, day

that's what the Goddess intended. praise the Goddess for her wisdom.

Re:Poppycock!

[Shanep]

because it makes more sense. month, then day. increasing specificity.

I think it doesn't make more sense, because as you say, the year is on the end.

DDMMYYYY makes a lot more sense than MMDDYYYY.

Medium significance, lower significance and then higher significance makes little sense.

Of course, the most logical approach is, YYYYMMDD, with significance than follows closer the way we count.

Re:Poppycock!

[RAMMS+EIN]

I was confused by this, too. I stick to the convention of writing either ``1 November 2002'' or ``2002-10-01''. I use the first notation for absoulte clarity and consistency with how I pronounce dates (1st of November, 2002). I use the second notation for speed or when space is tight. It is consistent with the notation I use for time (most significant first, least significant last). Cheers.

Re:Poppycock!

[Arandir]

Because that's how we speak in 'Merica. When someone asks me when I'll visit next, I say "November second", and not "second of November".

Re:Poppycock!

[Christopher+Whitt]

Of course, the most logical approach is, YYYYMMDD, with significance than follows closer the way we count.

Not only is this the most logical approach, it's the standard approach. ISO 8601 to be exact. Not only is it logical, but it is also very computer friendly since sorting datestamps that are in this format is easy: an ascending sort is a chronological sort.

Re:Poppycock!

[Shanep]

Not only is it logical, but it is also very computer friendly since sorting datestamps that are in this format is easy: an ascending sort is a chronological sort.

Oh tell me about it. Today I was at a client site who complained that they couldn't find their latest backup files. Reason being, that they were naming their backup files with alpha numerics mixed throughout the files and more importantly without leading zeroes.

Result being, files being naturally sorted in WinNT 4 Windows Explorer that did not go in the order the dates did.

The users backups were there, but so hard to find that they called me in because they were worried that their backups were not working!

They were only weekly backups, so if they saved them as apYYYYWW.zip all would have appeared to be fine. Where ap is an abreviation of the application data being backed up, YYYY obviously year and WW the week of the year. apYYYYMMWWDD would be nicer so that in the future, referencing particular backup dates could be quicker.

Thanks for that link BTW. Now I have extra ammo. ; )

Re:Poppycock!

[flimflam]

I think it's because it's closer to how we talk. We say "November 11th, 2002" not "2002, November 11th" or typically "11th of November, 2002" (unlike those pesky Brits.)

Save you the effort...

[Fnkmaster]

Dear Slashdotters,

I decided to save you the effort of replying to this article by summarizing all of the posts you are about to make.

1) BSD is dead poster: BSD is dead! Only 13 people use OpenBSD and they all live in their parent's basements!
2) Dumb Karma Whore: Packet filtering? What's that? Can somebody explain why pf is a better packet filter than the alternatives?
3) De Raadt Hater: Theo sucks! Burn in hell, Theo, you self-righteous prick. FreeBSD 0wnz!

Re:Save you the effort...

what a stereotype!

not everyone has a basement, you know.

Re:Save you the effort...

[ImpTech]

Funny... while I don't live in my parents' basement, my OpenBSD box does, so I guess the first poster is half right.

Re:Save you the effort...

[ELiTeUI]

Thats too funny.

I also do not live in my parents basement, however one of my OpenBSD boxes does..

I guess it is a small world after all.

ELiTeUI

Re:Save you the effort...

[King+of+the+World]

The funny thing is that you're the same person with split personalities. One goes to sleep, the other wakes up. Does the hilarity ever stop? I think not!

*guitar-solo*

Re:Save you the effort...

[CBravo]

of course, there is a reason that that box is in the basement. It does not go down.

Re:Save you the effort...

[Dark+Lord+Seth]

Heathen, you forgot three of them!

Imagine a Beowulf cluster of packet filters!

1. Develop a packet filter.
2. ???
3. Profit!

( ) CowboyNeal is my packet filterer! You insensitive clod!

Re:Save you the effort...

[jbolden]

QA guys do real work. There is a huge difference between software that sort of works and software that works perfectly everytime. Theo led a team to do a tremendous job of cleaning up many of the standard open source apps.

Project managers, systems analysts, developers, QA, tech writers, business analysts... are all on the same team; why the backbiting? Don't IS/IT people have enough problems without turning on each other?

pf ported to Debian?

[Centinel]

Does anyone know if anyone has ported the OpenBSD pf over to Debian?

Re:pf ported to Debian?

[krmt]

Well, I don't see it in the userspace program list in aptitude anywhere, not that I expected it, since in the interview with the pf creator he says that it is hooked in to the OpenBSD kernel directly. Your best hope of getting it with Debian soon was the project to port Debian to OpenBSD, but since that was just abandoned you'll have to wait a while or do the work yourself.

Re:pf ported to Debian?

[Centinel]

if I wanted to hear "use google you lazy n00b" I'd have asked #openbsd on efnet

Re:pf ported to Debian?

[jhunsake]

Then why didn't you?

Re:pf ported to Debian?

[peter]

There were plans to create a Debian GNU/FreeBSD operating system. (Maybe not just FBSD, without the GNU/. (They would probably use the FBSD C library, but most things would be the existing Debian packages. I guess there would be some new packages with FreeBSD software.)) I can't remember what I saw most recently about the Debian on FreeBSD project, but I don't think it's totally abandoned.

Anyway, pf is specific to OpenBSD's kernel, and I don't think it is likely to be ported to other kernels.

Re:pf ported to Debian?

[neroz]

What a shame. Lets hope the {Net|Free}BSD ports dont follow suit - they are a lot futher along.
Heres the post from the Debian GNU/OpenBSD porter:
---
Subject: status debian/openbsd
From: Andreas Schuldei
Date: Tue, October 22, 2002 4:50 pm
To: debian-bsd

There are several indications that openbsd's security is more or
less up to the level what can be achived with todays debian
gnu/linux.

The kernel code seems to have severe race conditions and the
userspace seems to be bitten by a compareable number of security
incidents as e.g. a stabel debian with a correspondig software
base.

Since my reason for this port is primary to provide a more secure
environment for debian users with the same feel, right now this
port seems not to be worthwhile.

OpenBSD seems to make efforts to change to elf binary format some
time in the future. When this happend and the audit efforts show
further results i will reevaluate the situation.

Everyone who wants to carry on with this port is welcome to take
over.
---

Re:pf ported to Debian?

[LordHunter317]

Other way around. The whole point of any GNU/*anything* port, Debian or not, is to get the entire GNU toolchain running on said kernel.

The debian part would obviously be porting as much stuff as possible to run on said GNU/*anything*.

So GNU/OpenBSD would run pf but not iptables. See?

This is the one point where the GNU/*OS* thing makes sense. Though I think GNU Debian *OS*/*arch* would be better, as in GNU Debian Linux/i386 or GNU Debian OpenBSD/i386.

Re:pf ported to Debian?

[peter]

yeah, that's what I was trying to say, but got sidetracked half way through :(. Of course they would use pf where Debian on linux uses iptables. However, the C library, as an interface between the kernel and user space, takes a lot of work to get working on a different kernel, or a different architecture. However, some GNU software is designed to run on a GNU system, and uses things like getline() instead of fgets(). (read the GNU libc info page if you don't know about this.) Most major pieces of software are portable to non-GNU systems, so they could get by without the GNU C extensions.

oh GREAT

I had never before done any kernel programming, but I knew C

Great... I'm going to recommend to my boss that we replace all our FreeBSD and Linux servers with OpenBSD! With that kind of kernel programming experience on the team, you know it's gonna be SOLID! Check it.. he didn't say he "heard of" C, or "dabbled in" C, or even "thought there was a language called" C, he KNEW C! Inside and out!

And hey, did you read the interview, the man owns TWO, count 'em, TWO cats! Between the three of them, they should hammer out some sweet packetfilter code.

(hey it's a joke. but I'm still not giving up FreeBSD)

Re:OpenBSD is crap, heres why - vermillion

I usually don't feed the trolls, but...

OpenBSD is fucking hype. The only good thing about it is SSH.

Yeah - SSH... and isakmpd, systrace, pf, altq, chrooted apache and whole-of-tree audits.

Re:OpenBSD's Security is Overrated

so basically, you're saying: OpenBSD is the most secure OS out there, as long as you don't install it on a computer?

if you are going to upgrade to 3.2 ahead of time

[congiman]

Its already out there in the source tree... and has been for a while (beginning of october).

You can grab the main .tgzs from:
ftp.usa.openbsd.org/pub/OpenBSD/snapshots/i 386

I'm pretty sure you can do this install by getting the floppys (.fs) files and selecting FTP install.

If you have 3.1 (or any other version) you can upgrade the source tree (this is how I did it)

set your cvsroot:
setenv CVSROOT anoncvs@anoncvs.usa.openbsd.org:/cvs
cd /usr
cvs -q get -rOPENBSD_3_2 -P src

You can then follow along here:

http://www.openbsd.org/faq/upgrade-minifaq.html

Make sure you do all the steps,
Be especially sure you do 1.5, 1.8, 3.1.* before you do a make build..

(note: if you are doing it from something earlier than 3.1 you should do the other changes (3.0.* etc. etc.)

-- C

WARNING: SNAPSHOTS ARE NEWER THAN RELEASE

[honold]

this information is bad, as the 3.2 snapshots are now further ahead in development than the 3.2 release code. there is no supported method for backtracking from -current to -release.

for the impatient, the best method is to check out the 3.2 sources from cvs (as described) and build from source

Re:WARNING: SNAPSHOTS ARE NEWER THAN RELEASE

[congiman]

The snapshots on ftp.usa.openbsd.org are still 10/3/2002.....

But, I'll also grant you that that seems weird in that it usually changes more often.

If all else fails, wait 3 days and you can find it at:

ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.2
(THIS LINK WILL NOT WORK UNTIL FRIDAY)
(this is posted in PST, so Friday is still 3 days away).

Yeah the best way would be to grab 3.1
ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.1

install it
and then src code upgrade

-- C

OBSD Support !!!

[SuperDuG]

I think the one thing that everyone absolutely always neglects to realize is that Open BSD is the absolute perfect firewall/router solution for any network. All serious networks I've ever seen or worked with use Open BSD as their router/firewall solution and for good reason, it's perfect. It's stable, secure, and BSD Free, what more could you possibly want. Open BSD is made for security and it does its job wonderfully.

Re:OBSD Support !!!

I think the one thing that everyone absolutely always neglects to realize is that Open BSD is the absolute perfect firewall/router solution for any network.

Not necessarily a perfect solution for any network. I still think the most secure systems are ASIC solutions with specific firmware. OS is an overhead and Achilles heel in terms of firewall protection.

--
darkskies

Re:OBSD Support !!!

[Churchill]

All serious networks I've ever seen or worked with use Open BSD as their router/firewall solution and for good reason, it's perfect.

You're right! Managing hundreds of OpenBSD firewalls in dozens of locations, all the while maintaining a cohesive security policy is a BREEZE with the excellent OpenBSD pf management software! Er, no. What kind of serious networks are you working on, anyway?

Re:OBSD Support !!!

[SuperDuG]

Not networks that serve. Man everyone who posts is really a moron. Not every network on the internet is meant to serve. When I said serious networks I was talking companies that provide net access to every desk type networks. OBSD is the perfect solution for these situations as it can serve as the firewall/router/webserver/email server. It's all stable and secure and works perfectly for your average small to mid-size business. I'd recommend a midrange PC with Open BSD anyday before I recommended a cisco solution.

Re:OBSD Support !!!

[c13v3rm0nk3y]

Well, I can report that my (publicly traded) corp is pretty OBSD friendly. Almost all our edge hosts on our international VPN or the DMZ are OpenBSD. It does most routing, all email and spam filtering.

It isn't doing the VPN proper right now, because we've invested too much in a commercial VPN. Also, most of our discrete host access to the VPN (over dialup or broadband) is Microsoft PPTP (which is lingua franca in terms of client access). We use NT exclusively for authentication/authorization (except for the NIS stuff on all our UNIX boxes), but we are switching to Active Directory. This got us thinking about running arbitrary LDAP services on OBSD and falking out all the Windows 2K client boxes. Shades of Samba!

There is talk about switching our web and ftp server(s) to OBSD. We've already made the jump from Netscape to Apache (on Solaris), and IBM is *most* happy to supply us with OS-free Netfinity servers to run this stuff on. We still have a lot of value left in our Sparcs, but as they age it looks less and less like they will be replaced with newer hardware.

The main obvious benefit for me is that I get to tag on a t-shirt or two onto our corporate orders. I mean, having stable email is all well and good, but a new OBSD t-shirt every 6 months! That rings my bell.

Re:OBSD Support !!!

[mindstrm]

You are a troll.

I run some very serious networks, and we don't use openbsd. What is so superior about PF?

Openbsd can't do policy routing, and PF is quite limited.

And a serious network doesn't run the mail server and webserver and router on the firewall.

Why no easy installer?

[browser_war_pow]

What I don't get is why don't these projects realize the kind of coup they could score by releasing a Mandrake/RedHatesque installer that even the average marketting drone could use to setup a fully operational installation. I'd love to use OpenBSD if I thought I could get it working. I'm still just a novice with *NIX though so some of this is a bit too hardcore for people like me right now. But still, getting OpenBSD an installer that **just works** for the average person would take it to a whole new level.

Re:Why no easy installer?

[krmt]

Making a good installer is hard work. OpenBSD just doesn't have its priorities there, and rightly so. If someone really felt strongly enough about the issue to write a nice graphical installer, or port one of the Linux ones over, there's nothing stopping them from doing so. It's just obviously not that important right now.

That said, if you want an easy install, there are plenty of alternatives for you. You've already mentioned Redhat and Mandrake, and there's also the very notable OSX. These might not be products focused primarily on security, but if you're really concerned about security then you're going to have to be willing to do some work of your own. Even OpenBSD doesn't guarantee security in the absence of knowledge. So if you're willing to put in the work to learn to be effectively secure (and thus actually use the system properly) then you're certaintly willing to learn how to install the thing.

Re:Why no easy installer?

[Dog+and+Pony]

First off, anything is easy compared to installing Debian (typical that I *do* run it, anyways... sigh.) Well, slackware's worse.

And second, no marketing drone has ever, as long as humans has kept track, installed anything except the latest email worm. For all the other software, they grab whoever is close and not wearing a tie. Usually it is some guy that would rather shoot himself in the foot than use up the afternoon installing windows Me, but there you go.

Re:Why no easy installer?

[psxndc]

If you buy the CD, the insert has a walkthrough of an install. OpenBSD is actually one of the easiest installs if you follow the documentation.

psxndc

Re:Why no easy installer?

[coene]

It's MUCH easier than you think... It just takes some reading (just a tad, which is all stuff you NEED to administer the system anyways).

You want:

http://www.openbsd.org/faq/faq4.html [Installing OpenBSD]

and

http://www.openbsd.org/faq/index.html [The entire FAQ]

Re:Why no easy installer?

[dave_f1m]

I agree with the other replies that it is relatively easy to install. The disk partitioning is different, so that slowed me down (slices?!?). But I love "man afterboot" - it reminds you of all the other crap you need to do to a system after it's installed. Mandrake, et.al. could use that.

- dave f.

Re:Why no easy installer?

[alain1234]

About Debian and OpenBSD, a quote from the latest Debian weekly news :

Debian/OpenBSD ceased. Andreas Schuldei announced that he is discontinuing the effort to combine OpenBSD and Debian. He found out that there are several indications that security in OpenBSD is mostly at the same level as it is in Debian. Since the reason to work on this port was primary to provide a more secure environment for Debian users this port doesn't seem to be worthwhile anymore.

Re:Why no easy installer?

[evilviper]

Personally, I find OpenBSD's installer to be simpler than ony other. Who needs a GUI?

Do you want to setup networking? [Y, n]
Do you expect to run XFree86? [Y, n]

What could be more simple than that? I can install OpenBSD in the time it takes most GUI installers just to load.

The one place it needs work is FDISK, and that's not a problem unless you say 'NO' when asked if you'd like to 'use the entire hard drive'.

The installer has some nice perks too. You can use wild cards when selecting your packages, so a simple "-x*" will unselect all the X packages. Just "*" selects everything (one of the few OSes where you almost always want EVERYTHING-there's no junk in the distro), or you can always go with the default, minimum, install.

That's why I like OpenBSD, it isn't a bunch of shinny things, it's just a very simple and elegant Operating System. Installer and all.

Re:Why no easy installer?

[aussersterne]

Well, slackware's worse.

<rant type="stream of consciousness">

I couldn't let this slide. I've been using Linux since 1993 -- longer than many, not as long as some others... and I was a SunOS guy before that.

I have always found the Slackware installer to be reasonably friendly, extremely well-thought out, both elegant and consistent.

ON the other hand, I avoid dselect like the plague. Even if you know what you're doing, dselect is a ponderously huge set of choices; just browsing through them to locate the ones you want while looking at the package name column and nothing else requires enough reading and keying to slow the process down to a crawl. Better to bypass dselect entirely... just install the base system and then use apt to get the stuff you want. It's not that I dislike Debian -- in fact, I use Debian/Sparc on a whole mess of Sparc 10 and Sparc 20 workstations that I administrate and it performs nicely.

But I can't imagine how new home PC users must feel when confronted with a huge, text-only interface with no obvious onscreen guide to keys and very counterintuitive behavior. For example, try running dselect on a 386 or a 68k mac (both supported platforms). Hit PgDn and five or six seconds later the screen finally updates. Bet new users hit it three or four times, wondering why it isn't working. Oops! Same goes for entering and leaving dependency resolution... Press Enter once your selections are made and watch... nothing happen for 30 seconds until the package list is finally displayed once more. Bet new users hit Enter 10 or 12 times. Maybe they even hit reset, thinking they've frozen!

The OpenBSD and NetBSD install systems and the Slackware install system are much, much better than dselect, which is an utter dog that has been completely overwhelmed by the growth of Linux and the sheer number of Debian packages available.

</rant>

Re:Why no easy installer?

[RAMMS+EIN]

I don't wanna boast, be elitist, troll, whatever here, but I actually think the OpenBSD 3.1 installer is one of the best installers I've ever seen. Sure enough, it doesn't have a GUI, but it fits on one 1.44 MB diskette and uses little RAM.

The installation process is as simple as answering questions that are in plain English. The one thing that sucks about it is the disklabel part. I think it would be helpful to do some ad-hockery to come up with sensible defaults here. Nevertheless, help is available in clear English and a swap and root partition (and whatever more you deem necessary) are soon enough created.'

Now I am going to abuse the rest of this post for stating what other improvements (besides the disklabel editor already mentioned) I would like to see in OpenBSD. The default install ships with many services (fully or nearly completely) preconfigured but commented out. This is a Good Thing. However, although SMTP and POP3 are mostly set up this way, the same is not true for their secure (tunneled over SSL) versions. I think that OpenBSD, especially with its focus on security, should really offer this.

Another thing that would be good for OpenBSD to have is a secure distributed filesystem. This applies to other operating systems as well, and I know there are various options that work, each with serious drawbacks. Two options that I consider of special interest are Coda and SFTP. Coda is said to be in alpha stage (and has been, for a long time), but is reported to work quite nicely. SFTP is not technically a filesystem, but can be used as one by Linux with LUFS. I think a LUFS-equivalent for [Open]BSD would be a huge win.

Re:Why no easy installer?

[sheriff_p]

In truth, it's been a while since I installed OpenBSD (3.0 was the last one I tried), and I found it ... easy. I'm certainly not a particularly competent user, and although I'll admit the disk partitioning tripped me up, the rest was really simple.

Additionally, the OpenBSD FAQ sets the standard for docs. Once installed, I had dhcpd/NAT/ipfw and a load of other goodies set up in under half an hour.

I would suggest that people who say installing OpenBSD is hard just haven't tried it. If you have, be more specific: ugh eez too hardt is hardly a good bug report, or the kind of thing that'll get over-worked developers to make changes.

Re:Why no easy installer?

[Sn4xx0r]

ROFL. Finally good justification for wearing a tie. It's just to stay out of the hands of the marketing drones! Really!

Re:Why no easy installer?

[debilo]

I don't really mind there not being a real GUI-based installer. Although I would appreciate the comfort in having one, I've found OpenBSD installs extremely painless and easy, the installation on my (slightly dated) router box takes no more than 15 minutes. Even as a beginner, a quick read-through of the really excellent FAQ provides all the information you need to get started in no time.

But then, there's this article I stumbled across on Deadly:

G.O.B.I.E, a "Graphical OpenBSD Installer Engine", and I have to say the screenshots look pretty damn slick. They are also working on other cool things. From the web site:

[G.O.B.I.E] wishes to add some value to the product by developing installation modules to known servers such as Bind, Sendmail, Inn Apache..

Among them, you will find help to configure PF(Packet Filter), authpf, altq and some other tools.

We have planed to build a kernel configuration tool too !!!

I think that sounds like an interesting project and (though IMHO not absolutely needed) I would like to see it being officially presented as an alternative to the current installer.

Re:Why no easy installer?

[dazdaz]

There is a fantastic graphical installer for OpenBSD, it's just not in the default install, yet. See the GOBIE project.

http://www.gobie.net/

Re:Why no easy installer?

[Dog+and+Pony]

Well Duh.

First you tell me that you've been using *NIXes for at least 10 years (assuming SunOS was only one year) and then you ask what the new home PC user would think about dselect??

I can tell you that. I can *also* tell you what said user think about slackware, as I was that user not long ago, at least when it comes to installing and setting up linux.

Said user will think that dselect takes forever to go through - and be correct. Depending on stamina, he/she will spend X minutes selecting stuff that sounds cool and/or useful, then give up and use apt-get for the rest of their days. Yes, dselect is bloated beyond recognition. Then comes the real fun. Finding the idiotically^Wobscurely named packages. Befoer anyone argues: Set someone that knows linux, but not debian, and ask them to get mod_perl installed. Took me hours to find the friggin package. And then it didn't work. :)

Now slackware... wow. It has a friendly installer in that sense that it uses english (which I can read) and that it asks me what I want to do. End of friendliness. Thanks to a semi-good linux how-to, I actually managed to get through the install on the Xth try, when I finally got working partitions in. Other Linuxes help you with this. Not this one.

When I finally got it up and running, I spent the next week:

* Learning how to edit XF86Config manually to get my language on the keyboard (was not available in slackware as an only), get my mouse working and get my monitor to go over 640x480.

* Recompiling the kernel to get the mouse to work. This is one of the things the home PC guy wants to try first of all. Not.

* Realizing that all Linux howtos are worthless because this is Sys-V. Have you noticed that Slackware guys does not write documentation?

* Giving up and throwing the crap out. All of the above is fun and good to know how to, but not to be able to use the system at all. Save that for later.

There's your home PC guy for ya.

Now, how is this better to someone without 10+ years of unix experience?

Debian is hard, but slackware is worse.

Or you have to put in that 10 years disclaimer.

Re:Why no easy installer?

[Ratbert42]

OpenBSD is one of the easiest installers. Try FreeBSD or even worse, Solaris. Then come back to OpenBSD.

Re:Why no easy installer?

[ryanvm]

Usually it is some guy that would rather shoot himself in the foot than use up the afternoon installing windows Me

I thought installing Windows ME was shooting yourself in the foot.

Re:Why no easy installer?

[Dog+and+Pony]

Nope. You'll notice that the pain isn't as sharp and not as lasting when using a common gun.

Re:Why no easy installer?

[Cro+Magnon]

The one place it needs work is FDISK, and that's not a problem unless you say 'NO' when asked if you'd like to 'use the entire hard drive'.

Unfortunately, that one problem killed OBSD for me. Surely, it's not uncommon to want to dual-boot OBSD with something else.

Re:Why no easy installer?

[TheSync]

I found OpenBSD to be an easy install EXCEPT for the disklabel editor. The editor should be able to present to the user a reasonable default partitioning scheme for servers(isn't that what OpenBSD is all about - having a secure, working system from the default install?)

Moreover, from reading the documentation, it appears that there is no warning about the creation of a partitioning scheme that is potentially unbootable. This is silly!

Re:Why no easy installer?

[tbuskey]

The default install isn't easy????
It's not graphical, but it is easy.

Anyways, I run OBSD headless on my sparc LX. No graphics installed. I install via serial port.

It sounds like you haven't tried an install.

Re:Why no easy installer?

[friscolr]

SFTP is not technically a filesystem, but can be used as one by Linux with LUFS [sourceforge.net]. I think a LUFS-equivalent for [Open]BSD would be a huge win

if NetBSD's mount_portal was ported to OpenBSD then i think it would be simple. right now OpenBSD (and FreeBSD) uses an older mount_portal which isn't as robust as NetBSD's.

anyone know the linux equivalent of mount_portal?

Re:Why no easy installer?

[friscolr]

OpenBSD is one of the easiest installers. Try FreeBSD or even worse, Solaris.

isn't Solaris the one OS that requires more reboots than Windows to install? i had to reboot 5 times the last time i installed Solaris8/x86

Re:Why no easy installer?

[pmz]

What I don't get is why don't these projects realize the kind of coup they could score by releasing a Mandrake/RedHatesque installer that even the average marketting drone could use to setup a fully operational installation.

1) Do you really want a "marketing drone" establishing your critical network infrastructure? Average people shouldn't be meddling with the systems that can really make or break a company. This is serious stuff.

2) The OpenBSD installer really is quite easy when you sit back and think about it. It's basically a well-thought-out shell script with prompts for necessary information. It's also very quick; OpenBSD installations are fast, since there isn't a quasi-stable GUI driving everything. It's also more dependable than a GUI. GUIs are complex from a software engineering point of view, and it is harder to guarantee their function. If you have questions about how OpenBSD goes about it's business...just look a the scripts.

I'm still just a novice with *NIX...

Don't let OpenBSD intimidate you, as it can provide a very fruitful learning experience about UNIX systems. OpenBSD really is one of the most directly and thoughtfully documented systems out there (at least for the userland stuff), but it just isn't an in-your-face system like Red Hat. Once the system installs, there is a helpful e-mail sitting in the root inbox, the installation CDs have very good README files, and the 'intro' and 'afterboot' man pages are also good. The OpenBSD website hosts a FAQ and links to mailing list archives that covers many questions for new users.

Re:Why no easy installer?

[3Bees]

What I don't get is why don't these projects realize the kind of coup they could score by releasing a Mandrake/RedHatesque installer that even the average marketting drone could use to setup a fully operational installation.

Unwittingly, you have answered your own question. They will probably never release an easy installer for OpenBSD because a marketing drone is not their target audience. If you are in an organization where a marketing drone is responsible for setting up firewalls and routers (the two general systems that will most frequently be running OpenBSD), than your organization is in deep doo-doo! :-)

OpenBSD is targeted at the audience that knows enough about their systems to feel comfortable without an installer, who will probably feel more comfortable without an installer. See, the thing about installers is that you have to trust what they are doing. Most admins who are worried about security enough to want to install OpenBSD will probably not want to put a whole lot of faith in any installer that they have not scripted/written themselves. (this is all IMO, of course, as there are probably large numbers of OpenBSD users that would not fit my stereotypes)

Re:Why no easy installer?

[evilviper]

Surely, it's not uncommon to want to dual-boot OBSD with something else.

It's not a very common occurance actually.

I don't setup any of my servers to dual-boot.

As for workstations:

An extra hard drive is cheap.

Few people just 'play around' with OpenBSD. It usually replaces the other OSes, and not many people are concered about co-existance.

FDISK is easy enough to use if you read the (very detailed) man page. From the docs on the CD, from the man pages on OpenBSD.org, even from within fdisk-you can easilly access the man page.

I mentioned fdisk only because it is the most complicated part of the entire OpenBSD system, not because it's complexity is significantly over and above any other installer OSes' installer. It may take a few minutes to figure it out, but it is more powerful than any other fdisk program I've seen, and gives you a better picture of what's actually happening than any other program.

Note For non-BSD users: FDISK is the program that modifies the (up to) four primary partitions. If you tell the installer to use the full disk, you don't even need te run fdisk. Within one of those primary partitions you create (or had the installer automatically create) is where you use DISKLABEL to allocate space for each mount point (/, /tmp, /usr, /usr/local, /home, ETC.).

I wouldn't want non-BSD users to get the impression that setting your hard drive is difficult, from this conversation, just because the job of fdisk is different on other platforms.

Re:Why no easy installer?

[Bishop]

OpenBSD does have one of the best installers going.

A general concensus seems to be that your first OpenBSD install will be a throw away. Your second will be good, Your 3rd and nth (n>=4) will be painless.

The best part about the OpenBSD installer is that a default install has everything that should be part of a Unix install and nothing more. The rest can be added painlessly from binary packages, source packages (ports), or compiled and installed by hand. (The worst part is disklabel.)

I have written this before: If you are a unix sysadmin make the time and learn how to install OpenBSD. It is not hard, and it will help you proffesionally. Even if you can't use OpenBSD officially. A quick OpenBSD install may be exactly what you need to tftp the backups to the primary database server that crashed hard 15 minutes before running the payroll. I am sure you can think of other, more mundane, issues that a quick Unix install can help solve.

Re:Why no easy installer?

[insomaniac]

Even if you know what you're doing, dselect is a ponderously huge set of choices; just browsing through them to locate the ones you want while looking at the package name column and nothing else requires enough reading and keying to slow the process down to a crawl.

heh, sounds a bit like 'make menuconfig' now THATS a bitch

Re:Why no easy installer?

[aussersterne]

Take 'make menuconfig' and multiply it by 150 or so and you'll have dselect. It really is a pig. I tried using it about twice on Debian installs and then just gave up.

Hint to Debian developers: When it's quicker to just bypass the installer altogether and then install packages one by one by hand, you know your installer is not helping anyone.

Re:if you are going to upgrade to 3.2 ahead of tim

Be careful. The 3.2 errata hasn't been commited to CVS. So while you're running the 3.2 RELEASE, 3.2 STABLE won't exist until the actual release.

If you really want an early 3.2, you need to port the relevant 3.1 errata to your 3.2 tree.

Why pf sounds great

[capedgirardeau]

Excellent interview and responses, a very educational read for anyone who deals with firewalls and packet filtering. It should become part of the pf docs.

He is very modest, but I like the sounds of some of the things he is doing. Here are some solid, specific things pf is doing that I dont think other packet filters are doing, ask your vendor how they are handling these same types of issues.

This is why pf sounds like it will be very good (direct quotes from the article):

... [about the kernel integration] ... we just call a single function, pf_test(), from ip_input() and ip_output(), where all packets from network interfaces pass. Additionally, the function is called from the bridge code and after encapsulated packets are unwrapped, so encapsulated packets pass through pf at every layer. [security enhancement]

... The stateful connection tracking is based directly on Guido van Rooij's work (which is also the basis for IPFilter). ... To prevent attackers from tearing down connections, for instance with spoofed RSTs, the packet filter checks the sequence numbers in each TCP packet. Only the two peers involved in the connection (and the hops in between them) know the right sequence numbers. Guido's work shows how to keep lower and upper bounds on the sequence numbers given only the (incomplete) information the packet filter has, with a precision and beauty similar to the one you can find in a mathematic proof. [security enhancement]

... pf can randomize sequence numbers for hosts that have predictable ISN [initial sequence number] generators. [security enhancement]

... Fragment reassembly and normalization (eliminating ambiguities in packets that a receiver might interpret in different ways) was written by Niels Provos, based on Vern Paxson's work. This is something very useful I haven't seen implemented in a packet filter before ... Reassembling fragments allows the filter to deal only with complete packets, reducing the rule set complexity. In my opinion, it's well worth the additional cost. pf allows to specify what packets to normalize in which ways, so you can handle notoriously fragmented but otherwise known-good traffic separately. [security enhancement]

... pf implicitly creates state for all translated [NAT'ed] connections and stores the information needed for translation in the state entry. This simplifies and reduces lookups. [speed/security enhancement]

... [Skip Steps] And this is what skip steps are. For each parameter in each filter rule, the number of subsequent rules that specify the exact same value are counted. When, during evaluation of a rule, a parameter is found to not match, evaluation is not necessarily continued on the very next rule, but all subsequent rules that can't possibly match are skipped. [speed enhancement]

Re:Why pf sounds great

[roybadami]

This is something very useful I haven't seen implemented in a packet filter before ... Reassembling fragments allows the filter to deal only with complete packets,

Linux has been able to do this for a long time.

Re:Why pf sounds great

[hummassa]

Please, could you elaborate on this? How do I control the reassembly? via iptables? thanks...

Re:Why pf sounds great

[roybadami]

I don't know off hand how it's done these days. In 2.2 kernels, you used to say:

echo 1 > /proc/sys/net/ipv4/ip_always_defrag

Re:Why pf sounds great

[roybadami]

Hmm, thinking about this a bit more, I seem to recall that in 2.4 fragment reassemply is enabled whenever you use connection tracking in iptables.

I couldn't immediately find this in the doc, though. The bottom line is that 2.2 could always do this (configured as a global option), so I'd be astonished if this functionality isn't there somewhere in 2.4 and iptables.

Re:OpenBSD is crap, heres why - vermillion

- broken drivers stolen from other BSD
- no RX polling for network drivers. Linux and FreeBSD have this. I'm sorry if you don't know what RX polling is for, but it is to prevent livelock in an interrupt driven kernel.
- no SMP. I would venture to guess that that's considerably more difficult that "auditing" (snicker) code. Its always easier to complaint than create, something Theo has mastered.
- no reasonable way of updating the OS. Solaris has it. RedHat has it. Even Microsoft has it. Theo's way, buy a new CD, or compile the patches yourself in a way which is not extensible. Smart.

I would never, ever use this in production. If you think I'm a Slashbot, all I have to say is. ... Sure, you hit the nail on the head, yeah that's it! What, Sigmund Freud to the rescue.

Just a note to you idiots out there, Juniper uses FreeBSD for their JuneOS on some very high end equipment. The engineers would probably urinate themselves laughing if you suggested putting OpenBSD on an M160. Oh, don't know what Juniper or an M160 is? That's what I thought.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:OpenBSD's Security is Overrated

[a+(+h+3+r+0+n]

The BSD community should take a hint and start gearing toward usability rather than "superior" security.

If usability is what you're looking for, try FreeBSD instead. One of OpenBSD's goals is to be Secure by Default. Whereas other BSD variants and most Linux distros take an approach of 'turn everything on and let the admin turn off what he doesn't need', OpenBSD takes the opposite approach. In my experience as an admin, theres no difference in effort between locking down, say, a Redhat install, or enabling what I need after install on OpenBSD. The difference is, the more clueless among us will be more protected by the default install of OpenBSD than by Redhat.

Re:pf? Mature?

[atrus]

If you actuaky read the interview, pf appeared in the 3.0 release. Which is about a year ago.

Re:pf? Mature?

[psxndc]

uhhh... pf isn't enabled in the default install. You have to enable it via /etc/sysctl.conf or manually, both of which require root privs to begin with.

psxndc

It's not that difficult

[_KhlER3L]

I don't think installing OpenBSD is any more difficult than installing a Windows box. You have to do it a couple times before you get everything right. But OBSD has one thing going for it: The initial install is really simple, comprised of only a few steps. If you can wrap your head around the disk partitioning (you can if you try), there's really nothing to it. A from-CD install takes only 5-10 minutes.

From there, /usr/ports makes available a tonne of software (some of which even works -- amazing!).

I'm speaking as a guy who hasn't installed X (tried once and mostly failed), but enjoys the commandline quite a bit. If you like working on the 'NIX commandline, or would like to learn, OBSD is a great system to play with.

khl

or VAX/VMS

[wotevah]

Or VMS which from what I heard is still being used by banks and such despite the fact that it was such a perverse OS and that TCP/IP was an optional package. Did that thing have any bugs at all !?

Re:or VAX/VMS

Yes, VMS had bugs, but they were all very well-documented. Consult manuals B-127J0 through B-141J7 for more information.

pF

[LeiraHoward]

Wow.. you know you've been doing too much electronics homework when you look at "pF" and read it as "picoFarad" and wonder what that had to do with anything....

Re:if you are going to upgrade to 3.2 ahead of tim

[jolan]

You can grab the main .tgzs from:
ftp.usa.openbsd.org/pub/OpenBSD/snapshots/i 386

Those are snapshots of 3.2-current, not of what will be released as 3.2.

Daniel Hartmeier'

[Futurepower(R)]

The article is one of the best resumes I've ever seen.

You don't need root

[iamacat]

Just disable the root account and install setuid programs or daemons to do specific functions for your administrator. If you have physical security, nobody will be able to actually login as root. Install an IP filter that only allows packets from priviliged ports if you don't want user's processes to user network directly. As for filesystem security, have users login to a chrooted account that only contains or mounts directories that they are supposed to access. How will this Unix installation be less secure than OSes you mentioned? Perhaps you mean that default UNIX distributions you saw are not very secure. Or that system calls supported by your OSes encourage secure application design. But it should be still easier to write a library for this purpose under Linux than to write a whole new OS. What am I missing?

Re:You don't need root

[wotevah]

You are missing all the bugs that might be in the code still running as uid 0. Your daemons, the kernel, all of them are vulnerable. I haven't seen many exploits that actually get root by doing "su" to it, so "disabling" that account will not achieve more than, for example, a good password.

A "secure" OS in this context means an OS with well-known "clean", stable code that has been reviewed for flaws etc etc. There isn't much you can do from an administration point of view if the services/daemons you have to use are flawed.

I think sprinkling setuids around is not a great idea at all. Especially custom-written ones. Beautiful things can happen accidentally linking against the wrong library in a chrooted dir :)

Chroot is *not* 100% secure. It is not a sandbox. You can still access ports, memory and processes and kernel functions, you can talk to daemons, starve the system of resources or convince the parent process to do things it will regret.

Plus if you chroot users you'd still have to give them most of the OS somewhere unless they login to not do any work, and that will soon get boring when you'll have to upgrade all of it.

A truly secure machine requires hardware support. A better CPU design. If the 8086 did not mix stack with code and data we would not have had so many problems today.

Re:You don't need root

[iamacat]

Well, I suggested disabling root account to avoid abuse by an individual, as a parent post implied. By giving your admin targetted setuid tools rather than root access you increase the chance that users' e-mail will be private. It's the easiest to reply to your last paragraph. Indeed, exploits will be more difficult if only read-only pages would be executable by the CPU. But it's always possible to emulate the "required" secure hardware by running a VM. Java programs running on x86 will not have stack overrun problems, even if they are compiled to native code with gcj. As for security of setuids and daemons - yes the code needs to be inspected, but no more than the equivalent kernel code of the "secure" OSes. If anything, most misuse will simply cause them to crash rather than bringing down the whole system as in the case of kernel bugs. And despite danger, setuid executables can provide very fine grained access control - such as truncating a specific log file, only if it's bigger than a certain size. Even a secure OS will only provide more basic priviliges that someone might find a way to escalate. I think providing a standard set of setuid programs that have been carefully reviewed and letting knowlegable people write more is better than hardcoding access control in the OS. UNIX has hit the mark as a "meta-OS" on top of which one can build a very secure or a very flexible environment. You may have some point with chroot, but I don't see how kernel memory and processes will be compromized if you only have /dev/tty and don't mount /proc. If your IP filter works with loopback, you can deny access to your daemons from non-priviliged ports. Otherwise, they would indeed need to watch out for access from an chroot()ed process. I don't see what you can do to your parent process if it doesn't let you inherit any unintended file descriptors and simply calls wait(). As for giving users most of the OS, I assume that in a secure environment your users will only be able to access a fixed set of applications. Those executable files will be on a read-only filesystem, with the rest of the environment mounted as noexec,nodev. And UNIX does have process priorities and limits on memory, files, processes and so on. There may be bugs, but the basic concept is sound. All I am saying is that it's possible to create a very secure UNIX distribution using standard system calls but carefully selected/reviewed user software. You will still get all the drivers and performance benefits of a general-purpose OS and have fine-grained options for balancing security and functionality.

Re:You don't need root

[jbolden]

How will this Unix installation be less secure than OSes you mentioned?
If you have physical security, nobody will be able to actually login as root
What am I missing? [reordered by editor]


What you are missing is that the OSes I was mentioning assume an administrator might be in on the data theft. That is you don't have physical security; so you need to protect the system against someone simply copying the data directly from the harddrive.
What you list creates an OS which is very secure againt any sort of user attack. BTW openbsd is actually moving towards what you described with lots of the setuid processes chrooted.

Re:You don't need root

[PetiePooo]

I agree that chroot isn't the best sandbox out there. I prefer Virtual Machines, although they're a little more resource intensive (& not free).

I've been considering running a machine with two interfaces but not assigning it any IP addresses, at least for the "host" OS. Then, I could run one or more servers within virtual machines. For instance, the firewall VM would have access to both interfaces, and have IP addresses on them both. DNS and DHCP servers would only need a LAN interface.

I'd need a decent processor with lots of RAM to pull this off, but imagine the possibilities. Running snort in the host OS on the WAN port would give me stealth IDS capabilities. Running it on the LAN port listening for packets on port 514 would give me a stealth syslogger. Since there's no IP addresses to access the host OS, there's no target to hack!

Now, lets take it a step further and imagine this scenario: The stealth IDS detects with some certainty that my BIND DNS server was once again compromised and a hax0r l0ser is launching a DDoS attack from it. Since the IDS is running on the host OS, it shuts down the offending VM, restores the VM's disk to a known good one and restarts it. Insta-restore!

One other method I've been contemplating that I consider somewhere between VMs and chroots is running the servers under User-mode Linux. I haven't had a chance to play with that yet, so don't know the security imiplications. I can't imagine it would be worse than chroot, and it wouldn't tie up resources as much as VMs do.

Re:You don't need root

[iamacat]

Now this one I am curious about. You can encrypt the filesystem, but then you need to store the key somewhere. Won't tamper-resistant hardware be more important than software at that point? Maybe Linux has a use for Palladium after all.

Re:You don't need root

[jbolden]

Here is an example
1 - Every program keeps its data in memory
2 - the virtual memory system uses encryption
3 - programs use a private encryption key when passing live ram to the virtual memory system
(so in effect data on the drive is double encrypted).
4 - there is no true "shutdown" just something that acts like NT hibernate

You shut the system down / hibernate. Remember there is no file system and the allocation blocks table in ram (like for a virtual memory system) so without restarting the OS all you have is double encrypted sectors of harddrive in no reasonable order without a clear key.

Re:You don't need root

[evilviper]

There isn't much you can do from an administration point of view if the services/daemons you have to use are flawed.

That's completely false. By no means do you need to run anything with blanket root permissions. systrace works great, chroot does fairly well, and you can run many services as a normal user.

You can still access ports, memory and processes and kernel functions, you can talk to daemons, starve the system of resources or convince the parent process to do things it will regret.

Most services I've seen don't just chroot themselves... the almost always drop their root permissions, meaning it's running as a normal user, inside a chroot. There's very little an attacker can do with that.

if you chroot users

Why would you want to chroot users? That doesn't make much sense to me.

If the 8086 did not mix stack with code and data we would not have had so many problems today.

That would only make overflows more difficult (OpenBSD has a non-exec stack), and even then, it wouldn't address any of your concerns.

answer: because they don't want THOSE users

[honold]

the project is not commercial, and has no dreams of having millions of users. it only seeks to do what it does well - which it has for some time.

most of the users and all of the developers would probably scoff at the idea of upgrading the installer because development resources aren't cheap, and they feel the time would be better spent elsewhere since the installer does work just fine.

the 'rustic' install (complete with MANUAL PARTITIONING!!!) serves as a barrier to entry, keeping the mailing lists more clean of 'how do i mount a floppy?' questions.

Daniel Hartmeier's resume

[Futurepower(R)]

The article is one of the best resumes I've ever seen.

Prospective employer: What have you done?
Daniel: I wrote the stateful firewall in OpenBSD. Here's a kerneltrap.org article.
Employer: (Silence while recovering from amazement.) What pay do you expect?


I hit a key accidentally, and Mozilla posted my comment above.

( Read More... | 2 of 1416 comments | BSD )

[mackstann]

seriously though, it seems that attempting to discuss bsd here at slashdot is a difficult proposition at best, can anyone recommend some sites where there is some intelligent discussion of bsd news and issues, without the annoying "BSD is dying" crap? deadly.org is the only one i know of and its pretty slow.

any links / suggestions would be greatly appreciated, thanks!

Don't Forget

[SlickMickTrick]

The intergration. All of these features in a powerful package with an installer targetted at admins.

The only thing I would ever ask of them is to take some of the lessons learned from the Gentoo Portage System.

Re:Don't Forget

[FuzzyMan45]

The only thing I would ever ask of them is to take some of the lessons learned from the Gentoo Portage System.

Such as?

Re:Don't Forget

[blkwolf]

>>The only thing I would ever ask of them is to take some of the lessons learned from the Gentoo Portage System.

>Such as?

Integrating the entire OS with the ports tree, not just 3rd party applications. This would allow easy upgrading of the system to keep up with security patches etc (i.e. emerge -u world)

aliases or commands to access the ports tree from anywhere. Instead of having to cd /usr/ports/somedirectory/someapp; make install you could instead emerge someapp and be done with it.

portage has improved alot on the database tracking installed software and the ability to find software in the portage tree, all from the one command.

I love OpenBSD and it's ports tree, but that doesn't mean there isn't any room for improvment and/or new features. Gentoo looked at the *BSD ports systems and said "how can we make this even better" and came up with some pretty good ideas imho anyways.

Nothing wrong with the *BSD's finding ideas they like that Gentoo has improved on and then incorporating them back into their own trees.

Re:Don't Forget

[blkwolf]

> You "love" OpenBSD? whats the matter with you. its inanimate. i like FreeBSD, but dont love it. Thats a sign of zealotry right off.

Okay maybe I shouldn't have said love, but I do enjoy it quite alot as an OS, along with various distributions of Linux, AIX and other unices. a zealot I'm definetly not.

What about OpenBSD sucks compared to FreeBSD?
Personally, the last time I tried FBSD overall I liked it, but got very ticked at it when I wasn't able to get my simple SB16 soundcard to work correctly in it. Even with the awesome FBSD Handbook, which I consider one of the best OS docs I've read.

On the other hand OpenBSD just detects my hardware and it works. simple as that, if it's supported it works. no need for messing with modules or configuration settings, (unless your configuring your nic or X), just use the device and forget about it.

> Linux is a bear that needs a trainer, its been pissing and shitting where ever. I disagree that Gentoo is better than FreeBSD, would you bet your production on it? Where is Gentoo -CURRENT, -STABLE?

Funny I dont recall saying Gentoo was better than FBSD or any other OS. I did say they have made some improvments to the ports system and I'll stick by that. Face it the ports systems uses by any of the BSD's has been stagnent for some time, not to say that's bad in of itself, but why ignore improvments when they do come along?

Also as to your question: 1.2 is stable, 1.4rc1 is devel pretty simple actually, and yes I have moved all my companies production linux servers over to Gentoo (the others run OpenBSD). And so far, like FBSD it just works.

Where are you getting all this zealotry stuff? Personally I see it in all the distro's and/or OS's. You name it, Windows, Solaris, AIX vs HP-UX, linux vs the BSD's, BSD's vs the BSD's. Just because a vocal minority tend to go overboard doesn't really mean anything as far as the quality of the OS.

Personally I dont agree with your assessment of the the linux industry being prisoner to anyone let alone Linus. Linus controls the kernel, that's it. If the industry doesn't like what he does, they are more than welcome to 1. elect someone else to direct kernel development 2. Fork the kernel and go play in their own field 3. Replace it with somthing else entirely (see HURD).

As far as Theo, well OBSD is his project, it follows his goals and what he wants out of it. Granted it's easy for people to find him arrogant or worse, but they are more than welcome to basically follow the same choices as stated above (see projects like EMBSD, MicroBSD) or use somthing else entirely.

Right now Theo's goals and direction of OpenBSD follow along with what I want out of an OS. A stable codebase that is as simple and clean as possible with security as one of the number 1 goals of the project. It's not perfect, and no one I know says it is. It works for those of us who use it and we are happy with it.

That doesn't mean I dont think it can hurt to improve certain areas like the ports tree which was the whole point of my original post.

oh what one letter can do

anyone else notice how its just one letters location that seperates a reference to the most insecure OS and the most secure OS?

OBSD
BSOD

ehh past my bedtime i think

Re:OpenBSD is crap, heres why - vermillion

- no SMP - because no one who is smart enough to deal with SMP kernels would ever tolerate Theo de Raadt.

- check out the fxp driver. If you can't tell they rip and port, you must be incapable of reading. Funny also that the fxp driver on FreeBSD supports polling. Funny also that FreeBSD cleanly supports more hardware and oh gee, APIC on UP boxes!

- no response to the RX polling. FreeBSD's polling implementations was by the Xorp ROUTER project. I have also performed throughput tests with OpenBSD. Trust me, at gigabit line speeds you either need to poll or have lots of CPU to deal with ingress packets - especially if the packet size is small. Show what you know about performance. Nothing.

- cvsup would be nice, more efficient.. Or binary packages for the server things like root exploits in SSH. People with jobs don't have time to compile things. OpenBSD is just behind the times. Painfully so.

So SMP not needed up there for border devices (yeah, right, that why GSR routers and every other router worth its salt use network processors dedicated for every interface)? So if a machine doesn't have a network processor for each interface, how exactly then is a uni-processor OpenBSD box without polling going to deal with 6 gigabit cards? Interesting. You don't know. The FreeBSD in Juniper was a convenient and effective way for Juniper to have a full, coherent well documented BSD implementation professionally done.

I love people, zealots, who try and defend OpenBSD but they cant even get SMP working. Real kernel hackers probably snicker and giggle about Theo de Ass, but Linus and other k-hackers are just too polite.

And please, man, for the love of god. Please stop considering a good box to put in front of a 1.5mbps link a good networking box. You sound like a fucking fool.

BTW, in lab tests, OpenBSD is fairly trivial to DOS, without RX polling, ingress packets always generate interrupts even if they get dropped by filters. No CPU left or userland = livelock. Oh! Wait, you've *never* tested these kind of things because you are either unemployed or worthless to your company [poor company to have to put up with you].

A nice birthday gift

[jtharpla]

Yay! Just in time for my birthday. :-) Actually, I'll probably wait a bit...just finished my upgrade to 3.1 STABLE. I wish every OS upgrade was as smooth...cvs update, compile, then do some diffs of etc. Nothing to it.

Re:OpenBSD is crap, heres why - vermillion

LOL you just smoked the original poster's ass like a cheap cigar

Maybe its me..

[bobdole34]

and my fear of change; but having worked on many unix and other firewalls: ipf has worked very well, I'm sure there are good reasons to add pf(ctl), but keep ipf for my sake! ;^)

easy?

[rsax]

What's your definition of an easy installer? I would rather have something functional over easy/GUI. When I first installed OpenBSD I had only used Debian since then (only for a year or so). I printed out the entire FAQ and read it back and forth whenever I had some free time. If you read it, you will notice that it walks you through the entire installation procedure. If I was able to install OpenBSD using their excellent text installer just by reading the documentation available on their site then I'm sure anyone (who's willing to do research) can. It also helps to have an old box to install on first, play around, install again.. rinse and repeat as required.

Re:Isn't the Most Secure OS... It had recent explo

[peter]

10 seconds with google was all it took to find evidence to prove you wrong. This is just a DoS, but you just said exploit, not run arbitrary code or anything like that. There's also the Mac Attack: send a certain 40 byte UDP packet to a MacOS computer, and it sends a 1500 byte ICMP packet to the source address of the UDP packet. There is a Mac security website that looks useful for people interested in making a Mac secure (rather than raving on /.)

Cool Mac software that I found while looking for info: ssh and sftp for mac with SSH2 support. License? Well, there's a GNU head on the website :)

Re:( Read More... | 2 of 1416 comments | BSD )

[Shanep]

can anyone recommend some sites where there is some intelligent discussion of bsd news and issues

I prefer mailing lists. In fact, after signing up to some interesting OpenBSD lists (mostly just reading) I found I was reading OpenBSD a lot less and reading www.deadly.org a lot more (and wishing it had a lot more articles and discussion).

Re:( Read More... | 2 of 1416 comments | BSD )

[Shanep]

Bugger, sorry. That should read "I found I was reading /. a lot less and reading www.deadly.org a lot more".

Re:OpenBSD is crap, heres why - vermillion

[theLOUDroom]

funny. i've been running freebsd for years and its open on the net. funny. i dont ever recall being rooted. funny.

Wanna post your ip address? ;)
I didn't think so.

disclaimer for the humor impaired: I don't actually want to root this guy's box. I am not a terrorist, nor a member of al-qaeda.

Re:( Read More... | 2 of 1416 comments | BSD )

[Sn4xx0r]

Go to your slashdot preferences, the homepage tab, and on the lower part of the page is "Customize Slashboxes". Enable some of the bsd sites to see their headlines while reading slashdot.

Like Shanep said, OpenBSD Journal (at deadly.org) is a good one.

Re:OpenBSD is so l33t...

[linuxbaby]

RTFFAQ:
http://www.openbsd.org/faq/faq8.html#wwwsolaris

8.18 - Why does www.openbsd.org run on Solaris?

www.openbsd.org and the main OpenBSD ftp site are hosted at a SunSITE at the University of Alberta, Canada. These sites are hosted on a large Sun system, which has access to lots of storage space and Internet bandwidth. The presence of the SunSITE gives the OpenBSD group access to this bandwidth. This is why the main site runs here. Many of the OpenBSD mirror sites run OpenBSD, but since they do not have guaranteed access to this large amount of bandwidth, the group has chosen to run the main site at the University of Alberta SunSITE.

New song!

[Improv]

Although I'm looking forward to the release,
and will upgrade eventually, I'm *REALLY* looking
forward to the next song..

"What more could you possibly want?"

[Akardam]

An embedded, dedicated solution?

Don't get me wrong, though I've personally not used a BSD as a firewall, I know people who have, and they're happy with it, completely happy. But I really prefer something which was built from the ground up to be a firewall and ONLY a firewall.

I've worked extensively with the Sonicwall devices, and I've also heard some good things about the WatchGuard Firebox series. Then again, if you want to go gung ho all out and out, you can get a Cisco PIX.

Basically, for me, it boils down to having a specific device for a specific job, as opposed to having a general purpose piece of software running on commodity hardware for a specific job.

Re:"What more could you possibly want?"

[AngryRodent]

While I am happy that you like the Sonicwall and Watchguard firewalls, and seem to think PIXen are nice, I would have to disagree. Having used all of these products, and several others as well as home-grown firewalls, I do not hold any of these three in high regard.

Perhaps more relevant however, is that Watchguard firewalls are Intel and Linux based, Pixen (at least the older ones) are Intel based (they were originally made by Network Translations. I have heard from reliable sources that Sonicwalls are VxWorks based.

Now perhaps, these devices meet the definition of being built from the ground up to do a specific task- having worked for several equipment vendors who have sold appliances as well as custom-hardware based network devices, I have a more jaded view of what this really means in practice.

One of the few security devices that is primarily custom-hardware based is the netscreen product line. I have no idea if they use VxWorks or another embedded OS, but would be somewhat surprised if they run a fully home-grown software package.

So, in general, I see value in your argument about specific device for specific jobs- if only from an auditability and management perspective.

However, most of the specific-job devices in fact run on essentially commodity hardware and are based in large part on general purpose software- no matter how much people in marketing want you to believe otherwise.

The most secure OS

[octogen]

And what's up with that "the most secure os" sarcasm? OpenBSD *is* secure.

This definition depends on what you call "secure".

Theo calls an OS with a very limited, trusted set of applications "secure" - however, running secure applications with root privileges has nothing to do with OS level security. That's application level security.

I'd call an OS secure, if you can only hack it by exploiting a bug inside the OS kernel. That means, there is no way of gaining 'root' privileges or something like that by hacking into some highly privileged daemon, provided that the system is configured properly.

To achieve this level of security, it is neccessary to have fine grained privilege and compartmentalization controls instead of the superuser/world distinction built into the OS kernel - and that's still missing in OpenBSD.

What means "secure"?
"[...] Put another way, "secure system" means safe enough to protect some real world information from some real world adversary that the information owner and/or user care about. [...]"
- SE Linux FAQ, NSA

-----

There are mainly two types of secure Operating Systems.
a) Everything up to the C2 level of security
b) Everything from B1 up to A1 (never ever reached by any OS)

The difference is information labeling.
You only get a B1 security certificate, if your OS has mandatory access controls. It must be able to automatically prevent users from mixing secret data with public data. This is often called a "Trusted OS".

Most people don't need information labeling/mandatory access control, because all their data has the same level of sensivity.

TCSEC C2 does not say much about how the OS has to handle privileges, so a C2-level OS can still be very insecure, but it can also be very secure - almost impenetrable - and it still can't ever become certified at B1 or above, because it simply can't handle multiple levels of sensivity.

-----

Let's look at NON-Trusted-OSs first, because most people don't need a Trusted OS:

OpenBSD lacks an uninterceptable audit trail and access control lists as required by TCSEC C2. It distinguishes between world and root privileges.

VMS has an audit trail, access control lists, and a privilege model.

AS/400s have an audit trail, access control lists, a privilege model, an object-based security model with type enforcement and hardware-supported pointer-in-memory-protection because of the single level storage address space, but that does not matter much (think about it as something which is similar to protect-mode on an x86, but based on objects and pointer to objects instead of segments and segment descriptors).

VMS is clearly superior to OpenBSD, mainly because of the privilege model. If a process does not have many privileges, then an attacker can't gain many privileges by hacking it. Simple, isn't it?

An AS/400 is (VMS users listen carefully) clearly superior to both, OpenBSD and VMS. It has a superset of the security features of VMS, and additionally it has object-based protection. Therefore, you can't write to a program object, and you can't execute a data file or things like that.

Now let's look at Trusted OSs:

SE-VMS has an audit trail, access control lists, a privilege model, information labeling and compartment mode.

Solaris with Argus Pitbull has an audit trail, access control lists, fine grained privilege controls plus inheritance rules (proxy privilege sets and so on), a trusted computing base, information labeling and compartment mode (mandatory access controls).

Both are clearly superior to the non-trusted OSs mentioned above, because applications can be totally separated from each other by putting them in separate compartments.
If someone hacks into an application in compartment A, then he/she still can't access an application in compartment B, so he/she is locked down into a jail.

Solaris with Pitbull is clearly superior to VMS, because of the much more sophisticated privilege model. It's more fine-grained and it has inheritance controls, so certain applications will only gain their privileges if they can inherit those privileges from another process. By default, executing another application always drops all privileges.

-----

What I'd like to say is .. 2 things:

1. What about "OpenBSD is the world's most secure OS"? It has a pretty good verified kernel, but it's security mechanisms are simply not powerful enough. A bug-free kernel does not help alot, when you have to run things as root, because the kernel does not have appropriate security mechanisms like privilege controls or compartment mode...

2. What about "Unix can't be secure"? I get really bored by VMS users comparing Standard-Linux with VMS; maybe compare the most secure setup of either Operating System and then let's talk about security again.
HERE is TCSEC B3 certified Unix (Linux-compatible, too).

regards,
octogen

Re:The most secure OS

[foofboy]

Point of order re:
b) Everything from B1 up to A1 (never ever reached by any OS).
There are several OS's rated B1 or above.

From Dynamoo:
B - Mandatory Protection Division B specifies that the TCB protection systems should be mandatory, not discretionary. B1 - Labelled Security Protection As C2 plus:

• Mandatory security and access labelling of all objects, e.g. files, processes, devices etc.
• Label integrity checking (e.g. maintenance of sensitivity labels when data is exported).
• Auditing of labelled objects.
• Mandatory access control for all operations.
• Ability to specify security level printed on human-readable output (e.g. printers).
• Ability to specify security level on any machine-readable output.
• Enhanced auditing.
• Enhanced protection of Operating System.
• Improved documentation.
• Example OSes are: HP-UX BLS, Cray Research Trusted Unicos 8.0, Digital SEVMS, Harris CS/SX, SGI Trusted IRIX.

B2 - Structured Protection As B1 plus:

• Notification of security level changes affecting interactive users.
• Hierarchical device labels.
• Mandatory access over all objects and devices.
• Trusted path communications between user and system.
• Tracking down of covert storage channels.
• Tighter system operations mode into multilevel independent units.
• Covert channel analysis.
• Improved security testing.
• Formal models of TCB.
• Version, update and patch analysis and auditing.
• Example systems are: Honeywell Multics, Cryptek VSLAN, Trusted XENIX.

B3 - Security Domains As B2 plus:

• ACLs additionally based on groups and identifiers.
• Trusted path access and authentication.
• Automatic security analysis.
• TCB models more formal.
• Auditing of security auditing events.
• Trusted recovery after system down and relevant documentation.
• Zero design flaws in TCB, and minimum implementation flaws.
• The only B3-certified OS is Getronics/Wang Federal XTS-300.

A - Verified Protection Division A is the highest security division. A1 - Verified Protection As B3 plus:

• Formal methods and proof of integrity of TCB.
• These are the only A1-certified systems: Boeing MLS LAN, Gemini Trusted Network Processor, Honeywell SCOMP.

A2 and above Provision is made for security levels higher than A2, although these have not yet been formally defined. No OSes are rated above A1.

Re:The most secure OS

[octogen]

There are several OS's rated B1 or above.

i c, my fault, should've been:
Everything from B1 up to A1 (A1 never ever reached by any OS).

Boeing MLS LAN and Gemini Trusted Network Processor are Network Components, not Operating Systems. Honeywell SCOMP is an integrated computing platform, running Getronics XTS/300.

XTS/300 without SCOMP is only evaluated at the B3 level.

Re:The most secure OS

[evilviper]

I have to say that the only place we are in agreement is: depends on what you call "secure".

Theo calls an OS with a very limited, trusted set of applications "secure"

No, that's what he has called 'Secure By Default'. The extensive audits of the kernel, and continual task of removing privlidges wherever possible, IS security IMHO.

I'd call an OS secure, if you can only hack it by exploiting a bug inside the OS kernel.

So, stick everything into the kernel (apache, OpenSSH, etc), and you've got your wish. May I suggest you work on a new definition of a secure OS...

it is neccessary to have fine grained privilege and compartmentalization controls instead of the superuser/world distinction built into the OS kernel

No. In fact, something like systrace can do the job even better than sticking it in the kernel. Besides that, 99.9% of programs could be run as normal users (not root) if OpenBSD had TCP/UDP port ACLs. If that was done, you could finely control the permissions for each account, thereby each service. I do this for many programs that don't bind to privlidged ports, and it works nicely. For programs that need privlidges, chroot does a good job of limiting the privlidge of a service. One again, the job of chrooting services is not the kernel's, but a regular program.

OpenBSD lacks an uninterceptable audit trail and access control lists as required by TCSEC C2.

Hmm, isn't that just what remote-syslog would provide? Besides, for there to be a hidden store of information locally, that means you have to begin removing some of the power and flexibility that Unix gives you. I like remote logging much better than my OS limiting what I am allowed to do.

you can't write to a program object, and you can't execute a data file or things like that.

That doesn't sound like much of an advantage to me. Regular users already can't write to root-owned programs. If we are talking about root privlidges, then I'd like to be able to strip my executables, and otherwise modify them as I see fit. Besides, where's the security advantage there? I just don't see it.

A bug-free kernel does not help alot, when you have to run things as root, because the kernel does not have appropriate security mechanisms like privilege controls or compartment mode...

You DO NOT have to run much of anything as root, and if you do, you can pretty well secure it.

You have a kernel fettish. Get over it.

TCSEC B3 certified

How's this: You call an OS with a high NSA rating "secure" - however, I find their methods of classification have nothing to do with real security.

As a matter of fact, an OS could have a blaringly obvious, devestatingly bad security hole in it, while still acheiving just as high of a rating. My point is only that their sole criteria for ratings are not the only factors in security. They are more like a NSA wishlist of things they wish to have. Let's not forget that the NSA is part of the US government... the largest bureaucracy in the world.

Many people consider ACLs to be more secure than Unix style permissions. Despite that, Unix permissions are just as secure, (almost) as flexible, and just as fine-grained as ACLs.

Both the capabities of Unix permissions, and the options for Unix (non-mandatory) access control, goes to show that there is more than one method that results in security. Many people just have tunnel-vision, and don't recognize the alternatives.

If you like the idea of sticking everything in the kernel, fine, but it is not a prereq. for security. Indeed, those functions can very effectivly be done in much simpler ways...

Re:pf? Mature?

[psxndc]

No, but the poster said that a hole in pf would cause a root exploit in the default install. Since you'd have to be root to enable pf in the first place, why bother with the exploit? My point was that since pf _wasn't_ enabled by default, there would be no exploit in the default install without having the root password already.

psxndc

Re:Why no easy installer? - Simple answer

[nurb432]

Its due to the intended audience/market.

If the installer is too complex/confusing for you, then you are not the intended audience.

Not meant as an insult, just reality.

OBSD isn't intended for the 'average' person, but one slightly above that level.

Actually

[waspleg]

I live in my girlfriend's parents basement

and my openbsd server is humming along right beside me, can i be lucky #13?

Theo has a cold

[drwho]

OpenBSD is dying, because Theo has a cold.

Heh...just kidding. But really, we're too dependant on him, and his whims. We need a less ego in the BSD world. Theo DeRaadt, Darren Reed, Dan Bernstein et al can be fine programmers but what's the damn point if they can't get along. OpenBSD's development has too much power concentrated in the hands of too few people. This leads to all sorts of boo-boos and the inability to maintain older code (3.0 just died...ugh!).

I think that licenses are important. They need to be unconfusing. Project developers should find an existing, popular, and well understood license that most closely suit their needs and put their work under that license, rather than create their own. Here is where I fault DJB and Reed for their licensing quirks.

What license is irritating me the most right now is PINE's.

Re:Theo has a cold

[mindstrm]

There is nothing preventing anyone else form developing it further, or continuing to support 3.0

Mirror of the interview

[Zigg]

Daniel has a mirror of the interview at his site.

Re:OpenBSD is crap, heres why - vermillion

[Craig+Davison]

There were bugs in Apache, SSH, sendmail, BIND, etc. that you were vulnerable to regardless of what UNIX you were running. The apache chunked-encoding bug, in particular, had a working Free/OpenBSD exploit before any other OS.
I think you "not being rooted" had more to do with you being a competant admin (whatever that means - keeping shit up-to-date and turning unneeded services off? configuring untrusted services to only run on trusted interfaces?) than FreeBSD being secure.

Re:You don't need root Plex86 is here now.

[Zeio]

Plex 86 is locate here now - http://savannah.nongnu.org/projects/plex86

Old site is down....
RvnPhnx - 2002-Oct-06 22:30 - 0 messages
The old plex86 web site is no more. I was wondering how long it would take for them to take it down, but it is now--the wondering is over. In any case, this is where the work happens--so be it. I have the old cvs still, in case anybody wants to play with it. I may get it posted here, and then branched/modularized, etc.--but the development is going to focus more on the plex86-release stuff for now.

systrace, setGid, ***Cheap OBSD CDs***

[Mana+Mana]

These includes things like a nonexec stack, a chrooted apache, a reduction in the number of setuid binaries

Ahemmm! set[ug]id, both. Also, the addition of Provos' systrace(1), which has been coming along for some time is tres cool, man. Listen, read:

Systrace enforces system call policies for applications by constraining the application's access to the system. The policy is generated interactively. Operations not covered by the policy raise an alarm and allow an user to refine the currently configured policy.

Provos' (the author) systrace webpage on the subject.

CTS. Someone bitched about the installer, and how cooler it'd be, how more ``popular'' OBSD'd be if it came with a purdier installer, cotton candy, and power seats. This flies in the face of how OBSD developers feel about the audience of their OS. `Fuck popular! Popular only brings unwashed numbers and wastes time; they don't handhold anyone.' `Read gaddammit, read!' `If you wont read the fucking excellent manpages, or wont read other included documentation, if you wont search list archives for the same repeated questions (and they will be if you are that stupid) you're a fucking slacker, if you read them and don't understand them, you're a fucking luser.' Sound like an OS that gives a shit about being popular or tolerant of stupid newcomers? I don't think so.

If you're prepared to do the hard work, not expecting handholding and waste anyone's time, you'll be alright. Not for everyone, as it should be.

I have extra new copies of Official OpenBSD CDs, selling them for a song, too. ;) It comes with a dozen OBSD stickers (not sold anywhere else), printed installation instructions, which make installing OBSD a breeze for those not use to this new OS. Just that is worth the price of the regular priced CDROMs, but I'm selling them way below that. $10.98. See sig for details.

Re:OpenBSD's Security is Overrated

[MobyTurbo]

The BSD community should take a hint and start gearing toward usability rather than "superior" security.

If usability is what you're looking for, try FreeBSD instead. One of OpenBSD's goals is to be Secure by Default. Whereas other BSD variants and most Linux distros take an approach of 'turn everything on and let the admin turn off what he doesn't need'

NetBSD, at least as of 1.6, has most of its services turned off by default as well, has an extremely lean install, and runs on even more architectures than OpenBSD. It tends to be optimized towards stability more than security though. Actually, Debian doesn't turn on much by default among the Linuxes I've tried, but it probably isn't as secure as *BSD. (It doesn't have the group "wheel" to protect against root access for a well-known simple difference between BSD and SySV clones.)

Re:Why no easy installer? - Simple answer

[Demonicbunny]

They should really make you use blocks. If you can't convert blocks to megs, then you shouldn't be using OpenBSD.

Unfortunately...

[jhantin]

the Smith & Wesson extraction method destroys the keys. If you need a copy of the clear data, and you're dealing with someone who maintains that "you can have my keys when you pry them from my cold, dead fingers", shooting them won't do you much good. You'll have to either use some sort of subterfuge to sneak off with a copy of the keys or break the keyholder's will with some form of duress.