OpenBSD 3.2 Available

fredrikv writes "Right on time, the files defining OpenBSD 3.2 have moved away from "snapshots" to the 3.2 directory of the OpenBSD mirrors. It is well known as the world's most secure operating system and now sports chroot'd Apache, fewer suid binaries, cool pictures for xdm-logins, a brilliant "antispoof" packet filtering rule and as usual includes lots of small updates and fixes. The files are there. What are you waiting for?"

Re:FreeBSD

The only real advantage that OpenBSD has is hardware crypto accelerators support, but even that is being ported to FreeBSD now. OTOH, OpenBSD isn't even using ELF yet, has no SMP support, less than 1000 packages and most of its developers are total PITA to deal with. It runs on more platforms. I'd say OpenBSD looks like a cheap NetBSD rip-off.

Unfortunately, FreeBSD seems to be plagued by trolls lately

Re:Well, I'm waiting for a downloadable iso

you could probably find one that someone hand-rolled and put up for download, but you'd be a moron to trust it.

It's good, but not that good

[ryanvm]

It is well known as the world's most secure operating system

Whoa, partner. Sure OpenBSD is designed with security in mind, and as far as the BSDs go (which are generally pretty secure in their own right), it's probably the tightest. But it's quite a leap to say that OpenBSD is the most secure operating system in the entire world.

I don't know which OS would get that "award". But I'd have to believe that it'd be something obscure like a tiny, embedded, OS the NSA uses in their crypto equipment or some such.

Re:It's good, but not that good

[LordHunter317]

Bullcrap. We just had to put in a patch to cover a buffer overflow/memory leak issue in UCX For OpenVMS. We know it caused buffer overflow issues becuase we could bomb Sybase sending it large amounts of data. Now there may be no OS-level overflows, but your statment is just ludicris. Our code is one walking buffer-overflow. Kernel != System, and just because the kernel is secure doesn't mean the system is.

Otherwise, I tend to agree, but OpenVMS is bi*ch to configure.

Re:It's good, but not that good

[octogen]

(Buffer overflow exploits? No such thing in VMS.)

Ok, so you believe, programs are absolutely immune against buffer overflow exploits on OpenVMS?

Then I'll show you a simple example of a buffer overflow exploit on OpenVMS/Alpha.

---

The victim program compares a user-supplied password with a password stored inside a file.

I wasn't able to include the source code, because I always get errors like "Your comment has too few characters per line (currently 24.5)." if I do.
Email me, if you'd like to get the complete source code, and I'll send it back to you.

$ cc vmshackme.c;1

strcpy(l_input, input); .^
%CC-I-IMPLICITFUNC, In this statement, the identifier "strcpy" is implicitly declared as a function.
at line number 66 in file $DKA100:[USERS.OCTOGEN]VMSHACKME.C;1

if (strncmp(l_input, l_pass, _max_pwd_len) == 0) .....^
%CC-I-IMPLICITFUNC, In this statement, the identifier "strncmp" is implicitly declared as a function.
at line number 68 in file $DKA100:[USERS.OCTOGEN]VMSHACKME.C;1
$ link vmshackme.obj;1
$ type pass.pwd;1
openvms
$ run vmshackme
openvms
Password correct
$ run vmshackme
os400
Wrong password, try again.
$

-----

The program works, as you can see.

Now I'll type in a bit too much:

$ run vmshackme
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Pass word correct
$

-----

What I'm exploiting here is nothing else than a simple example of a buffer overflow.

Even if you can't execute arbitrary code (and I'm quite sure you can do that, too!), you can still damage data structures, data pointers, numeric values like buffer offsets and many other things - so there are a lot of possibilities left for exploiting a buffer overflow vulnerability.
AS/400s have hardware protection for system pointers, so they are even more secure than OpenVMS. But even on AS/400s you can still damage space pointers, and I'm quite sure, this example program would even work on an AS/400.
It might not be possible to execute arbitrary code on an AS/400, but you can still damage many things by exploiting buffer overflows.

---

regards,
octogen

Re:It's good, but not that good

[octogen]

VMS is architected such that overflowing data cannot be executed

The same is true for Solaris/SPARC, if you configure it correctly.

You don't need to execute overflowing data, it can even be enough only to change a function pointer, and the program would run some code which was already there before the overflow occurred.

This code would be executable, because it's simply a part of the running program or of a library used by the running program.

Just changing some piece of data which gets passed to a system call can also be enough to break security.

From a technical point of view, applications on OpenVMS are just as vulnerable to buffer overflow exploits as applications on Solaris/SPARC (with noexec_user_stack set to 1).

On both OSs you can't execute overflowing data.

But on both OSs you can (sometimes) circumvent this sort of protection.

security

[MoceanWorker]

It is well known as the world's most secure operating system

That is true.. if you do a default installation and make absolutely no change to any of the services that come installed with it.. that's why it was secure for 4 something years.. but they didn't mention that if you had an old BIND version at the time it would still be "secure" :-)

Re:security

[c13v3rm0nk3y]

It's pretty common to run a few releases back on important and complex daemons like BIND, or Sendmail.

There is little value in going to BIND 8 or 9 if it has not been audited by the OBSD team first. BIND 4 is well understood and the faults, warts and bugs are well-known. BIND 8 is still new enough that it is considered an unknown.

This is one of the downsides (if you consider it a downsid) of trying to be "secure by design".

Of course, OBSD is free, as in beer and as in speech. This means you can run a parallel box with BIND 8 or 9 (or whatever) yourelf until you deem it safe. The responsibility is now yours to maintain security on that chunk of the OS, but everything is a trade-off, especially in host security.

BIND 8/9 will eventually make it into a future release. 99% of us do not need it, however, and so having a well-known and secure BIND 4 implementation has more value for the rest of us.

Re:Threading issues resolved?

I'm not sure I understood all of your complaint. What do you mean about two processes being hit at the same time? Is it possible to observe this on uniprocessor machines?

In any case, I seriously doubt that Solaris is any less vulnerable to such a problem than BSD. The people at Sun may work hard on their scheduling algorithm, but the BSD scheduler was written by Steve Woston himself, and is probably the best in the world.

Re:what happened?

[grub]

..when the holes in OpenSSH and -SSL were found.


The OpenBSD folks do make OpenSSH but not OpenSSL.

New songs too...

[millert]

The 3.2 song is available via ftp from:
ftp://ftp.openbsd.org/pub/OpenBSD/songs/
ftp://ftp.usa.openbsd.org/pub/OpenBSD/songs/

(other mirrors have not caught up yet)

The lyrics are available from:
http://www.openbsd.org/lyrics.html#32

Re:what happened?

[LordHunter317]

The OpenSSL holes have nothing to do with OpenBSD, they are built by a seperate team. 3rd party auditing of the source (which is what OpenBSD does for stuff it doesn't directly develop) won't find everything.

The OpenSSH hole was to be expected, and was long past due. No software is perfect, this just proves it. Face the facs, it'll happening sooner or later.

I don't see what you mean what gee-whiz hardware. Hardware support is still pretty far down on the list, and even my new system is about 80%% supported at best. Security is still the critical issues, but the development teams is humans, and humans miss things.

Flashy features? Again the same thing. The reason I use OpenBSD is because it isn't so darn flashy. That and it just runs.

Path to shame? I think the 3.0 series has been the best yet, and the most innovative. I think it will continue to be too.

Re:what happened?

[c13v3rm0nk3y]

For a while there I wasn't sure they'd ever get another release out...

This puzzled me. I've been running an OBSD router since 2.6 (and we've been running it at work since 2.8). The releases have been coming out pretty much every 6 months, haven't they?

I upgrade about once a year, so I often skip releases, but I think they've only missed the release dates a few times, and only by a week or so.

Bugs will be found, which (of course) is the point of the OBSD project. I just don't see any shame in that. Lot's of organizations get compromised. The real test is how the organization reacts and recovers.

*shrug* From my POV, the releases have been getting better and better. I can't imagine running anything else as an edge box.

Of course, I may be wrong. Even openbsd.org runs Solaris!

yes, we need SMP

[mainmain]

BSD is great, but it's just not going to make inroads into the server market without SMP. It's fine for us amateurs with racks at home and 384k upload at best, but for business that really need to crank it up, OpenBSD falls short.

What's great about Open over Free (and most Linux distros) is simply that one can go from zero to installed, up and running in no time flat. The need to secure the OS is minimal (though as another said, why portmap and why inetd?), which also greatly reduces time to production. And no worries about all of those "extra" packages that one doesn't want installed that get installed whether you like it or not, and then having to find a way to yank them out.

That said, yes, I pre-ordered my CDs.

Jud.

Re:Most Secure OS

I don't have local users I don't trust

you have users you can trust? god, do i want your job.

my users can't be trusted to follow the simplest directions. EVERYTHING better be automatic and iron-clad or they will find a way to break it.

Re:Same horrible fdisk and disklable process?

[dazdaz]

I often wonder if it's kept in order to keep an element of elitism attached with OpenBSD. Afterall look what happened to Linux.

if you have the bandwidth for isos you have it for

[waspleg]

1.44 floppy net-based installs, which is what i usually use and i've been using openbsd since 2.5

just because there are no "Official" iso's does not mean that they are not available from "Unofficial" sources just look around but you really should support hte project if you can

(the t-shirts/posters/stickers are all cool and the later can only be found w/ the official cdrom distribution)

my personal server (which is used primarily for NAT and personal ftp) has been running OpenBSD for years and it's certainly hte most elegant and simply designed UNIX based system that I've ever used and is far more intuitive and secure than Linux (which i have also dealt with since '95 and presently have a debian desktop machine running under my desk so no flames please) by default.. anyway my $.02

here is a link to the floppy internet based install instructions: http://www.openbsd.org/faq/faq4.html#Media

Re:FreeBSD

[Telent]

To sum, you have a stripped down no-nonsense OS with all of the unnecessary crap tossed out of the default installation and available as ports and packages to those who want it. The perfect OS for those who want a secure router, and/or single/few-function server. This isn't an appropriate choice if you need more than a commandline, really, and there's a fair amount of pride amongst the user community over that.

Uhhhh... I hate to be rude, but what crack are you smoking?

"Few-function"? Right now, off the top of my head, I use OpenBSD for:

• POP3/IMAP4/SMTP mail
• FTP
• Samba backups for Windows clients at my place of employment
• Apache web server with PHP, Perl, CGI, FrontPage includes, and all those other nifty modules
• IRC server
• Firewall (NAT'ing)
• Router

This is all on my servers, both at my work and at my home. These do not even have a GUI installed... but if you want more than a command line, that has it, too. I mean, it's *really* difficult to install the x* .tgz bundles when you're installing, then configure your X server and install your favorite window manager from ports. Took me all of five minutes, last time I did it.

That brings me to my desktop. I use my computer for a lot of stuff. Mail, web surfing, 3D modelling, test compiles, image editing, HTML editing, writings (technical and otherwise), media playing (Flash, DVD's, mp3's, CD's), and much, much more. This computer, a PIII 850 laptop, runs single-boot OpenBSD 3.1-stable, soon to be 3.2 (after I write this post.) I use Enlightenment, and damn, but it *flies*.

No, if you need your hand held on every single little thing, or you're scared off by a text installer (which, by the way, is easier than any GUI installer I've ever used), then PLEASE stay away. But if you can handle changing a few of the ways you think, give OpenBSD a try as a desktop. You may just like it.

(And just as a data point, I started out with OpenBSD. My first *nix experience, except for a tiny bit of Red Hat several months before, which I *hated* - not flaming, just saying it wasn't for me. I managed to get to the point where I am with it without getting flamed on the lists once, and it's because when I have a problem, I RTFM and STFW. If you're capable of doing the same, it's a refreshing change from the other user communities.)

Re:Please provide .iso's

"What do others think?"

Well, I think you are lazy. Download the install files, download the bootdisk, run mkisofs using the bootdisk file as the bootable image for the cd, cdrecord dev=0,0,0 speed=8x -data obsd.iso and you have a bootable cd image. Hrm. Anyways, THAT is what I think. Alternatively, you could download an .iso that someone else made. Google is your friend. Empower yourself, that is the primary benefit of Free Software.

Re:Same horrible fdisk and disklable process?

[psxndc]

No offense man, but by the 10th time you should have figured out you can use "M" and specify megs for partition size. Accept the default locations on the disk and guestimate in MB on what you need for /, swap, /tmp, /var, /home, and use the rest for /usr. Each time you add a partition, it will place the start of it after the end of the last one. Easy as pie.

Yes, the disk partitioning is the least intuitive part of the install, but it only took a complete newbie like myself a few times (3, maybe 4) to feel comfortable with it so I think you might have missed something in the documentation. I was using "Building Linux and OpenBSD Firewalls" at the time as well, but it's all there on the screen for you.

psxndc

Re:FreeBSD

[CoolVibe]

Does OpenBSD have a working DRI/DRM/GLX working? Guess not. FreeBSD's works a treat. Also, performance on FreeBSD is snappier, there's SMP support, ELF binary format, sane dynamic linking. All stuff OpenBSD does not (yet) have.

Nah, stick to FreeBSD for your desktop. OpenBSD might be secure and great for firewalls, bastion-hosts, but for a large multiple CPU server box, I rather use FreeBSD, Linux or Solaris.

Re:FreeBSD

Cool...when oh when will sendmail be turned off by default? I do not care if it is only listening to localhost, I want it turned off by default and I do not want to rely on a real mail server for logs to to be mailed to root.

Re:Still won't boot above 8 Gig- IDIOt

[grub]

OpenBSD is a SERVER operating system. 99.99999% of the people using OpenBSD use OpenBSD as a SERVER

Rubbish.

The OpenBSD ports tree, while not as brimming with goodies as FreeBSDs, has loads of software for use on the desktop.

My desktop *NIX boxes at home and work are both OpenBSD with lots of decent software installed via ports. I hardly think that developers would bother making a port of only .00001% of the users would use it. In fact a number that low would be a partial user. Perhaps a finger or two.