Slashdot Mirror
OpenBSD 3.3 Released
An anonymous reader writes "OpenBSD 3.3 was released today, with many new features, including integration of the ProPolice stack protection technology, W^X ('write xor X') on sparc, alpha and hppa, privilege separated XFree86 and an incredible number of enhancements and stability improvements to the packet filter, pf, including address pools for reverse NAT/load balancing, ALTQ integration for network conditioning, and anchors/tables/spamd for spam tar-pitting. Information on the release can be found here and download sites are listed here. (Also, here's a handy way to speed up your DSL connection - prioritizing empty TCP ACKs and ToS low-delay traffic with OpenBSD 3.3's pf.)"
Lets not forget about the OpenBSD Song
-dk
I'm continually impressed by the amount of improvements in each new release of OpenBSD, the frequency of the releases (6 months), and the sheer amount of value that each new release brings.
If anyone hasn't tried OpenBSD yet, give it a shot - you're certain to appreciate the quality that goes into it.
Comment removed based on user account deletion
Why should someone who's using linux be interested in OpenBSD?
-1 Uncomfortable Truth
...from someone *besides* Apple, OpenBSD is the bank they should look at!
Aside from maybe the esoteric trusted OSes (i.e. Trusted Solaris), is there really another "mainstream" OS people can just rely on for security?
Hell, Bill G oughtta just start waving $$$ in front of Theo and company until they all say "OK, that will do" and join MS to show them Redmond boys the Right Way (TM) to lock down an OS*!!!
* of course the Office team would no doubt open right back up any holes the new security-conscious OS team closed down...
I'm not done d/l'ing it yet! And it was slow *before* it got /.'ed!
Mix the failings of Usenet with the shortcomings of the World Wide Web and the result is slashdot.
I've been using Freebsd on my servers as of fairly recently and so far I love it. As a result, my intrest in BSD in general has grown. I was looking just today at OpenBSD and NetBSD features. OpenBSD looks fantasic and I was about to give it a whirl when I realized they don't support SMP. Now this wouldn't be an overly huge issue if it were primarily a desktop OS. I applaude all the work that has obviously gone into this project. But I will be overjoyed the day I see SMP added to the new feature list. This is NOT a troll. I think the way it stands is extremely impressive. I just want to express my sincere desire to see SMP support. =)
This is great news, or would be, if OpenBSD would actually work with our hardware. We use KVM switchs that have a mouse and keyboard plugged into a USB hub. OpenBSD just doesn't have good enough USB support to even install with a keyboard through a hub. And no, changing 'usb legacy support' in the bios does not help the problem. It is a pity. Linux kernel has the same issue, however all recent versions of Windows work fine with it.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Just to clarify that, W^X is not "write xor X", but "write xor execute". It's a new policy that OpenBSD uses to specify whether memory is writable or executable, but not both.
This helps prevent buffer overflows on the architectures that support it (sparc, sparc64, alpha, hppa) in that any memory that can be written to cannot be executable, and vice versa - so even if a buffer overflow succeeds in overwriting memory, that memory cannot be executed (or, the memory cannot be overwritten in the first place if it is executable).
Also note that W^X is also available on x86 in -current.
I have no pants and I must scream
the packet filter, pf, including address pools for reverse NAT/load balancing, ALTQ integration for network conditioning, and anchors/tables/spamd for spam tar-pitting.
Oh WOW!
My prayers for the packet filter, pf, including address pools for reverse NAT/load balancing, ALTQ integration for network conditioning, and anchors/tables/spamd for spam tar-pitting have been answered!
Thanks OpenBSD! Thanks for the World!!
Who are y oo ?
While I certainly can't say that "this is ALWAYS the best way to run things", I find it helpful to do split up tasks according to what I view as the respective strengths of each OS.
Firewall, Mail, and DNS I handle with OpenBSD (running Postfix and DJB's tinyDNS), and my actual website gets run on FreeBSD 5.0 in order to take advantage of SMP - a very, very stripped down FreeBSD, I might add. Looking at my loads, I'm considering setting up a secondary OpenBSD machine strictly for the apache processes, and leaving the FreeBSD machine as an ultra-stripped down DB box.
For the small business network this seems like a fairly optimal way to handle it.
When OpenBSD gets SMP (if ever), they'll effectively run my network - although a software monoculture has as many weaknesses as it does strengths (plus side: everybody uses Mozilla mail instead of OE, minus side: the first OpenBSD root exploit and you've lost the entire network).
--Ryv
Ahh, now I remember what I pay the school that monthly fee for. ~300 KB/s download for the whole thing.
I find it odd that they don't provide instructions on the site anywhere easy to find on providing mirrors. I'd like to, but fucked if I can find where.
Did anyone else find that the mirrors aren't complete yet?
-- Bill "Houdini" Weiss
...but to stay on topic, it sounds good, I will wait a week before even attempting to download it and throw it on a spare partition on my server. Quick question, is this ProPolice by Hiroaki Etoh which is integrated into OpenBSD's 'system compiler' the same as the stack protector patch for GCC developed by Hiroaki Etoh at IBM, as previously mentioned on /. concerning the new Trusted Debian 1.0 release, just without the fancy 'ProPolice' name?
Maybe someone can explain this to me. As I probably misunderstand it, darwin is based on BSD. so presumbaly any imrpovements in openBSD are easy to migrate to Darwin and OS X?
when can I expect I get my security enhancements in OS X?
Some drink at the fountain of knowledge. Others just gargle.
Regarding various troll-slams on OpenBSD... I dunno, I'm using OpenBSD and it's great. Nowhere to go but up, as far as I'm concerned. FreeBSD and NetBSD don't have much of a value proposition in my book compared to mainstream Linux distros, but if you want a secure webserver (or network appliance) without having to patch the thing all the damn time, OpenBSD seems a heck of a lot better than any Linux variant.
That said, I'm not dogmatic about this; it's just the conclusion I've come to based on the evidence I've seen so far.
--LP
If I remember correctly, benzedrine.cx is hosted on a 512K/128K ADSL line.
/.ing.
That type of connection cannot take the
Privacy? Not in this lifetime.
With the new normal FAQ upgrades also comes the new PF FAQ:
http://openbsd.org/faq/pf/index.html
spamd, a spam deferral daemon, can be used to tie up resources on a spammer's machine. spamd uses the new pf(4) table facility to redirect connections from a blacklist such as SPEWS or DIPS.
-- Probably questionable legality and ethics on that one, being a real tool in the battle against what some call 'free speech'.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
I was quietly downloading the packages, and then you had to send the /. hoards after it. Now their bandwidth is shot to hell. I mean, I'm all for sharing, but I wanna get my copy before I start sharing... ;-)
ehintz
I have only two words for you.
Wonder Shaper.
*BSD is dying to announce that it has once again improved that which was already considered perfect.
Way to go!
Saying your OS is the best because more people use it is like saying MacDonalds make the best food
That was all the fun of DOS assembler programming...
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
For those running Mac OS X, there is an application called Cocktail that will let you turn off delayed ACKs.
I prayed about it, and God said, "Don't do it!" But I thought, "I know better."
Yeah, I know. But I was hoping for a kernel patch.
Wonder shaper is a bit complex to setup if you only need this thing.
can someone plz set up bittorrents for these, or something... i've been waiting since last month to set an obsd box up.. because i wanted this release =)
And, no, I should not have used the goddamn Preview mode first.
Also, good luck getting a JDK/JRE to run here. HAHAHAHAHAHA. Fuckers.
I must have good karma.Kan jeg få en pils, vær så snill?
Google cache can be found here.
a zu 4C:www.benzedrine.cx/ackpri.html+&hl=en&ie=UTF -8
.. sorry for the plan old text.
http://www.google.com.au/search?q=cache:4jbVxQi
PS
HTML is my not so good
it's available on BudgetLinuxCDS.com for only $3
I've been waiting for this release for a number of months now and want to express my gratitude to the OpenBSD folks. Of course, that means buying a few more of their CDs. Heh, heh... Shameless support for my favorite OS. What's in their best interest is in the best interest of my computing environment, right? Good!
Now where is that post I wrote a few days ago about building a new distro called AbiertoBSD out of used car parts?
Hm.. you flame BSD and you flame Linux. Does that mean you hate them both and prefer Win/Mac/Sun? Or does that double-sided hatred actually mean you love them both. When in doubt, mod flamebait!
Damn, that business with the prioritizing ACKs sounds fantastic! I have the same setup as in their example (ADSL 512Kb down/128Kb up) and always have to put upload limits on filesharing programs so they only upload at maybe 11KB or 12KB per second, 'cos if I let them hit their full 16-ish KB/sec, the downloads choke and die.
I might have to salvage some crappy old box from work and see if I can't set it up as an OpenBSD gateway..
Are there any real programs that ever modify their own code, or compilers that output code that does so? OpenBSD seems to be assuming not, and I'd guess they've done their research, but it seems that whenever you forbid something that used to be legal you're inevitably going to break something that used to work.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Classic VM (build 1.3.1_02-b02, green threads, nojit)
Good luck getting performance on that vm...
For the ones not willing to change their OS only for the trafic shaper DSL trick, here's the link for linux: (including many other very interesting things...) Linux advanced routing and traffic control
enjoy it!
Q.
..secure as Windows. Thats what I want to know.
http://saveie6.com/
Plus it mentions RH 6.2, I doubt anyone is running a website on that anymore (shudder).
HAH! I know of *many* sites that use a RH 6.2 boxes for serving, and even some that use RH 5.x distros as well. Just because RH no longer rolls their own fixes doesn't mean that the distros have dried up. Many sysadmins would rather manually update the software on their servers than go thru the trouble of migrating to yet another distro.
There are also those that use a heavily locked down ancient distro for serving. Apache is kept current and everything else is closed. This is even easier to do in an environment where each task has its own server. If it ain't broke, don't fix it.
I'll tell you what, there is no way in hell that I would ever use RH 8 or 9 for a server. Even a bare bones install has way too much BS. For my needs, Debian does my Linux needs quite well. As do IRIX and Solaris. RH is great for the desktop, but nutty crazy for server use.
Oh it isn't that bad. Pull the network plug and clean up the mess. Preserve the corrupted files for later and restore from your backup. (you DO have a backup, right?) and then use the RPM database to verify all of your binaries to make sure you weren't owned when you made the backup. Verifying the critical files against the installation media will ensure against a trojaned rpm/database.
Then once you are clean again, examine the saved files and try to figure out how they got in. Learn from your mistake and carry on.
Happened to me a couple of times, usually when I make a mistake in configuration or don't keep up with the errata. Yes I'd like to connect electrodes to the script kiddies testicles, but it really isn't something to get bent overly out of shape over either.
Democrat delenda est
The latter. I just wanted to get in on the argument that people always bring up in BSD articles.
I didn't need that karma anyway.
[insert witty quote here]
Superbad's just a site I thought was sort of a creative 'web as art form' project. My site's yet another typical game review site with yet another 'dark, angsty, hateful of most games and their developers so we say 'fuck' and 'cunt' a lot' propped-up teeny-bopper edginess to it. It sucks pretty hard but we seem to get a lot of traffic *shrug* - overall I think it's better for the Internet if people go to superbad.
Just bought the CD... $40... not bad for 5 separate compiles on one cd... I'm going to take an old iMac DV (incapable of quartz extreme) and lock it down!
||| I still can't believe Parkay's not butter.
Uh, this is bullshit.
The kernel-part (which linux already has, QoS) is complex to setup and wondershaper are just some shellscripts which make it *really* easy.
This is good news for the OpenBSD community indeed, but rather than downloading, you might consider buying the CD set from a retailer near you to fund further development. Given the recent funding issues, now couldn't be a better time to support this superb open source project.
Like tinyurl, but one letter less! http://qurl.co.uk/
MS Windows NT family (ie. NT, 2000, XP, 2003) has a MUCH better security model than any UNIX I've seen, OpenBSD in particular.
Are you friggin serious?!?!?
How can anyone honestly say that Microsoft has a better security model? OpenBSD has had 1 root compromise in the default install in 7 years.
Yes, more features, more code, more holes, plain and simple. It's not even that OpenBSD lacks features, they're just not point and click easy, and maybe thats a good thing. It keeps any num nuts with a pirated version of XP (go registration) from polluting the net with another machine just waiting to be owned.
If you believe that the NT operating systems from Microsoft has a better security model, fine with me. I would however like to hear the argumentation. OpenBSDs argumentation is their 7 years without root exploits. What is the argumentation for NT being more secure?
If your going to make claims like that on Slashdot, you better have some good arguments handy.
Had some problems with development tools on OpenBSD because of the ancient bintils.
As someone who is currently ditching redhat for openbsd, I don't care for rc.conf at all.
However, I am certainly looking forward to not upgrading my kernel/glibc every three months. My complaints are mostly cosmetic.
Its intended target is secure network services, not as a workstation.
Trying to shoehorn it into that mode would defeat the whole idea of it being secure, as 'un-ceritifed' apps would break that faster then you can blink....
If you want a BSD desktop, go FBSD.. and keep OBSD on your server/firewall/etc where it belongs.....
---- Booth was a patriot ----
Whenever you see a statement like this it's usually referring to the filesystem ACLs where it says "security model".
And the piracy protection in XP is activation, not registration, registration is very different.
There are FOUR icons!
http://www.stinsv.com/TNg/Picard/4lights.wav
Since I never studied operating system I should have the university remove that course from my exam papers. Really you should never assume that people you don't know doesn't understand a given subject.
Thank for the link. I'll agree with you. Microsoft has some very good idea regarding security features. You should have link to it in your inital post. You often get marked as a troll if you don't argue your claims.
However good idea MS has, it doesn't make up for writting good code. There are no nice features like ACLs if they aren't properly implemented. OpenBSD strenght lie in the quality of their code, while MS tried to implement more security features, without auditing the code they already have. OpenBSD attempts to find bug in the code before they become a problem. MS ignores small bug, which could become a problem, simply because they have to meet their deadlines. Later on the small bugs many not be as small as they first seemed. Deadlines aren't good for security.
Don't you think it's a bit strange that even with all those nice security features, Windows isn't more secure ?
In theory they can be interleved. In practice things are frequently not so random. For example when you call fork on a non-SMP system the parent process gets to use up it's time slice before the new child process gets it's first chance to run. There might be some (buggy!) code that accidentally does the wrong thing and gets away with it because it does some stuff that needs a lock it will normally be ok. Once in a while it will fail. Not real frequently, just once in a while. On a SMP system if there isn't anything else running the child process and parent process will both return from the fork at the same time and that "once in a great while it goes bad" thing becomes "most of the time it blows up".
That's what happened when Sun became the first major Unix-like system that did real SMP.
I expect there is other stuff that can go wrong going from UP to SMP, and while lots of OSes have done it before, none have the same security bent that OpenBSD does, so there may be security bugs that still are unfixed...
It's possible to play various tricks as a TCP receiver to get a server to send you data as fast as you want. Instead of just prioritizing ACKs, if you split ACKs, send duplicate ACKs, or send ACKs for data you haven't gotten yet, the server will think the connection is great and increase the send window. The details are here.
If you're installing from CD, OpenBSD 3.3 did not contain sendmail 8.12.9. Correct me if I'm wrong but this was fixed in 3.3-current but didn't make it onto the CDs (?). Older sendmail-based servers should use patches 014, 027. See: www.sendmail.org/patchps.html
http://tinyurl.com/4ny52
Yes it is the same ProPolice. Since OpenBSD integrated it into their system, many problems and bugs have been worked out (until OpenBSD glommered onto it, it hadn't been widely used). So with a little luck, it should now slip fairly smoothly into the trusted Debian distro. There is a performance penalty (I believe I've read 10% for OpenBSD), but such is life....
The next major OS release from Sun was to be SunOS 5. Then they got a little marketing-happy and decided to rename their OS Solaris. They said SunOS 4.n == Solaris 1.n, and the new! improved! OS would be Solaris 2.n, and SunOS 5.n == Solaris 2.n. Running uname -a on my Solaris 2.8 box,
SunOS rhonadler 5.8 Generic_108528-08 sun4u sparc SUNW,UltraAX-i2
(And then the Solaris 2.8 == Solaris 8 madness.)
So SunOS is Real Unix (TM) -- whatever that counts for these days. SunOS 4.x is the "Real" BSD, a direct descendant of the Berkeley CSRG's "4.n BSD" on the VAX-11, and has no connection to any of the free BSDs.
So yes, Ballmer doesn't know shit about Unix, but we already knew that.
Unlimited growth == Cancer.
...is the penguin skeleton in the cover art. Subtle.
(This is of course a bug in the application, not the system, but I though I'd mention it.)
And applications are in the OpenBSD "Base Install".
Which means the base install might very likely have some bugs, which is unacceptable.
I think one of the great appeals of OpenBSD is a very strong preference for known good as the target, rather then "good enough because it is so unlikely to happen".
yeah, on the other hand, you've got so much to say...
I think you're under the mistaken impression that someone, anyone, gives a damn about what you think.
heh, who's the one using the search feature again?
Ive just completed a 3.2 -> 3.3 upgrade from source. Things went pretty smoothly.
/path/to/program/binary | grep stack_smash
:)
To test that your stack protection has been compiled into binarys, do this:
strings
You should a line like this this ( and perhaps others ):
__stack_smash_handler
Yay for OpenBSD