OpenBSD 4.8 Released

Mortimer.CA writes "The release of OpenBSD 4.8 has been announced. Highlights include ACPI suspend/resume, better hardware support, OpenBGPD/OpenOSPFD/routing daemon improvements, inclusion of OpenSSH 5.5, etc. Nothing revolutionary, just the usual steady improving of the system. A detailed ChangeLog is available, as usual. Work, of course, has already started on the next release, which should be ready in May, according to the steady six-month release cycle."

Re:Have they decided to implement security yet?

[SoupIsGood+Food]

OpenBSD's claims are based on clean code, well-written documentation and sensible defaults, not a baked-in or bolt-on MAC system (which in this case stands for Mandatory Access Controls.)

Because it can be bolted-on, it's not really a criticism of the OS itself. To be fair, jails gets you 90% of the way there - MAC systems were hot stuff on multi-user systems, but most Unix installations these days are single-seat workstations or back-end servers in the new "appliance" model which don't have any human users at all apart from the admin. Applications can be effectively protected from each other with jails... so an elaborate MAC system is kind of a waste of time in most cases. Maybe in a few specialized file-server scenarios, it might come in handy... but it's pointless for a box running a LAMP stack.

Oh, wait, OpenBSD doesn't run jails, and the devs tell you to screw off and die whenever they're asked about it.

I suppose they still have clean code and sensible defaults. You just need to buy a new server every time you want to isolate applications from each other.

But this isn't actually a security issue, this is a developers-up-their-own-fundament issue.

Re:Have they decided to implement security yet?

[metrix007]

I can't believe you got modded up. MAC is not bolted on at all, it is a kernel patch. This means you end up with a different kernel, where MAC is implemented from the ground up.

Equating MAC to jails also shows you simply don't understand what MAC is.

• If your webserver is compromised in a jail, can the webpages still be defaced? Yep. Not with a proper MAC policy.
• Running third party software that the OpenBSD team did not audit themselves which gets pwned? Far less likely with MAC. If the machine is exploited, minimal damage can be done.
• Need to restrict access from root to satisfy legal or policy requirements? Not possible with the outdated root = god model. It is possible with MAC.
• Want to restrict the permission a process has, instead of automatically granting it the same full permissions your user account has? Not possible on OpenBSD, possible with MAC. No, systrace doesn't cut it.

The industry is slowly heading in implementing MAC in some form, because DAC (Discretionary Access Control, the current standard) is simply inadequate. It's not all SELinux, Microsoft have Windows Integrity Levels where low privileged processes can't write to higher level processes, Ubuntu has AppArmor etc. The industry is heading in this direction because we realize that allowing all programs to have the full set of permissions equal to the user it is running as is not ideal.

The OpenBSD team stand out in their flat our rejection of the very idea, considering it to be too complex (does not have to bee, see SMACK, Tomoko or AppArmor), or horribly understanding it to the point they equate it with an ACL. IIRC Theo has said in several interviews it is basically security theater and not useful, which is just ignorant. Given they tend to actually ignore security vulnerabilities and argue rather than admit and fix them, the project doesn't seem that security focused to me.

Sorry, but I will take a fairly secure system that grants me the granularity to protect myself in the case of an attack, as opposed to a system which claims awesome security because it comes with almost no current software and nothing running by default.

Re:Audio on BSD?

[TheRaven64]

OpenBSD has gone down the userspace sound daemon route, with aucat. This is much simpler than something like portaudio and provides userspace sound mixing. I generally prefer the FreeBSD approach (fully working OSS 4 compatible, with high-performance low-latency kernel sound mixing), but the OpenBSD approach (like everything else in OpenBSD) trades a little performance for a lot more security.