Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD 4.8 Released

Posted by Soulskill on from the new-and-shiny dept.

Mortimer.CA writes "The release of OpenBSD 4.8 has been announced. Highlights include ACPI suspend/resume, better hardware support, OpenBGPD/OpenOSPFD/routing daemon improvements, inclusion of OpenSSH 5.5, etc. Nothing revolutionary, just the usual steady improving of the system. A detailed ChangeLog is available, as usual. Work, of course, has already started on the next release, which should be ready in May, according to the steady six-month release cycle."

17 of 176 comments (clear)

  1. Re:fdisk by ashkar · · Score: 4, Insightful

    Their targeted users have no problem with the installation. If you aren't comfortable with the installation tools, you probably wouldn't be comfortable with OpenBSD. A pretty installation method is looking for a solution to a problem that doesn't exist.

  2. OSNews? Thom Holwerda? Seriously? by Anonymous Coward · · Score: 4, Insightful

    You're taking some random blog article linked to by Thom Holwerda at OSNews seriously? Those are your three strikes, and you're out, my friend.

    Look, the OpenBSD team knows exactly what they're doing. They're some of the brightest minds in the field. They have many years of experience with real-world security. They've been around long enough to know that there are something things that sound totally fantastic in theory, but in practice they're a complete failure.

    Many advanced security approaches fall directly into this theoretically-great-but-actually-quite-shitty category. They end up being difficult to implement, and end up being full of security flaws and other holes. They end up causing the very things they're supposed to avoid! Thankfully, the OpenBSD developers know this, and smartly stick with a model that's been proven successful over the couse of 40 years.

    1. Re:OSNews? Thom Holwerda? Seriously? by machine321 · · Score: 5, Insightful

      The point of the article is that while the base system may indeed be very secure, it is practically useless.

      1998 called, they want their rationalization back. Besides, just about everyone turns off SELinux when they want to actually get work done.

      Is lighttpd any more secure on OpenBSD than on Linux? No.

      Good thing they have an audited, privsep, chrooted version of Apache, then.

      With SELinux, you need not only a local privilege escalation, but a hole in SELinux as well.

      Bullshit.

      I would argue that OpenBSD may be secure by design, but SELinux is, in practice, more secure.

      Adding complexity rarely increases reliability.

      I would be absolutely ecstatic if OpenBSD implemented something more like SELinux in terms of privilege separation.

      The Stephanie project worked towards doing just that, but it appears the project died several years ago.

    2. Re:OSNews? Thom Holwerda? Seriously? by Menkhaf · · Score: 3, Informative

      Sorry man, that's not a highlight. It's a link.
      I, uhm.. think you may have missed out a bit on the Internet. Here, I'll give you a link to start with: http://www.bing.com/ -- happy binge!

      Besides, the mentioned "bullshit" was half way into his post. If you just read the first few words, I think he's happy.

      --
      A proud member of the Onion-in-Hand alliance
    3. Re:OSNews? Thom Holwerda? Seriously? by TheRaven64 · · Score: 5, Informative

      For example, if you need to build a web server, you might pick OpenBSD because of its "secure-by-default" mantra. But what does that really buy you? You still need to run web server software, which is going to be the vector for any attack.

      The OpenBSD base system includes a version of Apache that has been heavily audited (fixing a lot of bugs that didn't seem to get fixed in the main branch until years later - look for 'does not affect OpenBSD' in security advisory notes) and runs in chroot by default.

      Is lighttpd any more secure on OpenBSD than on Linux? No

      As I recall, lighttpd runs in a chroot by default on OpenBSD, but I could be wrong. On top of this, it has (probably not a full list, just the things I remember):

      • Address space randomisation, making return-to-libc attacks harder. Linux now includes a weaker version of this.
      • OpenBSD's malloc() has an aggressive policy about returning memory to the kernel, which trades some performance for making it much harder to exploit use-after-free bugs.
      • The OpenBSD system compiler enables stack canaries by default and they are enabled for all OpenBSD packages, making stack-smashing attacks basically impossible.
      • W^X policy means that you can't map a page as both writable and executable at the same time. This is implemented even on x86, where it requires some convoluted stuff with segmentation because there is no native support in the page tables. This makes anything with a JIT compiler marginally harder to write and makes arbitrary code execution holes much harder. Linux can enforce something like this only on newer systems that have support for the NX bit in page tables.
      • The network stack uses strong random numbers for a lot of TCP/IP header fields, making things like connection hijacking or SYN flood attacks harder (you said you were running a networked app, right?).

      And the best thing? You don't need to configure or even understand any of these for them to work. That's what 'secure by default' means - no faffing with SELinux configuration, no optional security measures that people turn off because they're too hard to get right.

      I would argue that OpenBSD may be secure by design, but SELinux is, in practice, more secure.

      In practice, SELinux is usually disabled. In the few places it is enabled, it makes the attack surface larger and has led to exploitable bugs that are not present in Linux-without-SELinux.

      --
      I am TheRaven on Soylent News
  3. Re:fdisk by contra_mundi · · Score: 4, Funny

    Oh, the problem exists, I can assure you of that. The problem however lies between the keyboard and the chair.

    That's not a very ergonomic position to use a computer in.

  4. song by buchner.johannes · · Score: 3, Informative

    The release song doesn't even have lyrics :-(
    How good can the release be then, I ask!

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  5. Re:BSD Troll-in-One by Anonymous Coward · · Score: 5, Funny

    To spare this section of all the trolls (yeah right!), I have incorporated every *BSD troll into this one message. Thank you.

    The *BSD Wailing Song

    What's left for me to see
    In my ship I sailed so far
    What can the answer be
    Don't know what the questions are.
    And after all I've done
    Still I cannot feel the sun
    Tell me save me
    In the end our lost souls must repent.
    I must know it is for certain
    Can it be the final curtain
    As long as the wind will blow
    I'll be searching high and low.
    Who knows what's really true
    They say the end is so near
    Why are we all so cruel
    We just fill ourselves with fear.
    And heaven and hell will turn
    All that we love shall burn
    Hear me trust me
    In the end our lost sould must repent.
    I must know it is for certain
    Can it be the final curtain
    As long as the wind will blow
    I'll be searching high and low
    Final curtain
    Final curtain

    • flask of ripe urine
      pressed to bsd lips
      bsd drink up

    I don't want to start a holy war here, but what is the deal with you BSD fanatics? I've been sitting here at my freelance gig in front of a BSD box (a PIII 800 w/512 Megs of RAM) for about 20 minutes now while it attempts to copy a 17 Meg file from one folder on the hard drive to another folder. 20 minutes. At home, on my Pentium Pro 200 running NT 4, which by all standards should be a lot slower than this BSD box, the same operation would take about 2 minutes. If that.

    In addition, during this file transfer, Netscape will not work. And everything else has ground to a halt. Even Emacs Lite is straining to keep up as I type this.

    I won't bore you with the laundry list of other problems that I've encountered while working on various BSD machines, but suffice it to say there have been many, not the least of which is I've never seen a BSD box that has run faster than its Windows counterpart, despite the BSD machines faster chip architecture. My 486/66 with 8 megs of ram runs faster than this 800 mhz machine at times. From a productivity standpoint, I don't get how people can claim that BSD is a "superior" machine.

    BSD addicts, flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to use a BSD over other faster, cheaper, more stable systems.

    It is common knowledge that *BSD is dying. Almost everyone knows that ever hapless *BSD is mired in an irrecoverable and mortifying tangle of fatal trouble. It is perhaps anybody's guess as to which *BSD is the worst off of an admittedly suffering *BSD community. The numbers continue to decline for *BSD but FreeBSD may be hurting the most. Look at the numbers. The erosion of user base for FreeBSD continues in a head spinning downward spiral.

    OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of BSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

    Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

    All major marketing surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among hobbyist dilettante dabblers. In truth, for all practical purposes *BSD is already dead. It is a dead man walking.

    Fact: *BSD is dying

    It doesn't matter, no matter how many time you try to recesitate *BSD, it's just does

  6. Re:fdisk by Anonymous Coward · · Score: 5, Insightful

    I've only installed OpenBSD twice, both successfully, but their fdsik version was very nice.

    Different from Microsoft and Linux fdisk programs? Yes! Because you're not running/installing neither Windows nor Linux. Neither of these are identical systems.

    The OpenBSD fdisk is quite possibly better, and without a doubt far better documented, and not just in the excellent up to date man pages but also in official faq's and installation procedures available on the OpenBSD webpages. Stuff one should read.

    Who would read/read on Microsoft information when installing Linux?
    Who would read/rely on Solaris information when installing Windows?
    Who would read/rely on Linux information when installing OpenBSD?

    If you're having trouble with OpenBSD fdisk or more likely OpenBSD installation peculiarities and requirements that other operating systems either don't have or gloss over then I would recommend reading the OpenBSD documentation, it's all there, yes the issues that can trap someone entirely new too, usually even emphasized.

    A Windows poweruser or superuser can be and often is a total newbie on Linux.
    A Linux poweruser or superuser can be and often is a total newbie on OpenBSD.

    Don't assume different things to be the same.

  7. Suspend/Resume? by angus77 · · Score: 4, Funny

    They have suspend/resume now?

    I guess this will be the Year of the OpenBSD Netbook!!

    1. Re:Suspend/Resume? by the_brobdingnagian · · Score: 4, Informative

      Suspend/resume support has been improved enormously. I have been using it without problems on my Asus Eee PC 1000H for a while now.

  8. Re:How are upgrades handled? by the_brobdingnagian · · Score: 3, Informative

    I'm curious. Having never used a BSD-based system, how are upgrades managed? I understand that instead of installing packages, one uses ports. My impression of that is that you run a file in a ports directory and it compiles the software and installs it. Correct me if I'm wrong.

    Ports are meant for building packages. Users should only use packages normally. You can update your packages after you upgraded your base system with "pkg_add -ui -D update -D updatedepends"

    But how does one upgrade from, say, OpenBSD 4.7 to 4.8?

    OpenBSD has excellent docs and FAQ's: http://openbsd.org/faq/upgrade48.html

  9. Re:fdisk by Ex+Machina · · Score: 4, Informative

    IIRC you can suffix a quantity with M or G to specify size in megabytes or gigabytes.

  10. Re:Have they decided to implement security yet? by SoupIsGood+Food · · Score: 3, Interesting

    OpenBSD's claims are based on clean code, well-written documentation and sensible defaults, not a baked-in or bolt-on MAC system (which in this case stands for Mandatory Access Controls.)

    Because it can be bolted-on, it's not really a criticism of the OS itself. To be fair, jails gets you 90% of the way there - MAC systems were hot stuff on multi-user systems, but most Unix installations these days are single-seat workstations or back-end servers in the new "appliance" model which don't have any human users at all apart from the admin. Applications can be effectively protected from each other with jails... so an elaborate MAC system is kind of a waste of time in most cases. Maybe in a few specialized file-server scenarios, it might come in handy... but it's pointless for a box running a LAMP stack.

    Oh, wait, OpenBSD doesn't run jails, and the devs tell you to screw off and die whenever they're asked about it.

    I suppose they still have clean code and sensible defaults. You just need to buy a new server every time you want to isolate applications from each other.

    But this isn't actually a security issue, this is a developers-up-their-own-fundament issue.

  11. Re:Have they decided to implement security yet? by DiegoBravo · · Score: 3, Insightful

    From the article, about a "secure operating system":

    > Generally, this would be taken to mean an operating system that was designed with security in mind, and provides various methods and tools to implement security polices and limits on the system.

    Sadly most naive users still believe that security is about setting fine grained permissions, roles, resources and tagging system objects in general. In practice 1) security exploits simply bypass or reconfigure such validations or policies for their own purpose, and 2) getting a really good "fine grained" configuration and reconfiguration is pretty difficult, time consuming, and prone to error (i.e. to increase the vulnerability.)

  12. Re:Have they decided to implement security yet? by metrix007 · · Score: 4, Interesting

    I can't believe you got modded up. MAC is not bolted on at all, it is a kernel patch. This means you end up with a different kernel, where MAC is implemented from the ground up.

    Equating MAC to jails also shows you simply don't understand what MAC is.

    • If your webserver is compromised in a jail, can the webpages still be defaced? Yep. Not with a proper MAC policy.
    • Running third party software that the OpenBSD team did not audit themselves which gets pwned? Far less likely with MAC. If the machine is exploited, minimal damage can be done.
    • Need to restrict access from root to satisfy legal or policy requirements? Not possible with the outdated root = god model. It is possible with MAC.
    • Want to restrict the permission a process has, instead of automatically granting it the same full permissions your user account has? Not possible on OpenBSD, possible with MAC. No, systrace doesn't cut it.

    The industry is slowly heading in implementing MAC in some form, because DAC (Discretionary Access Control, the current standard) is simply inadequate. It's not all SELinux, Microsoft have Windows Integrity Levels where low privileged processes can't write to higher level processes, Ubuntu has AppArmor etc. The industry is heading in this direction because we realize that allowing all programs to have the full set of permissions equal to the user it is running as is not ideal.

    The OpenBSD team stand out in their flat our rejection of the very idea, considering it to be too complex (does not have to bee, see SMACK, Tomoko or AppArmor), or horribly understanding it to the point they equate it with an ACL. IIRC Theo has said in several interviews it is basically security theater and not useful, which is just ignorant. Given they tend to actually ignore security vulnerabilities and argue rather than admit and fix them, the project doesn't seem that security focused to me.

    Sorry, but I will take a fairly secure system that grants me the granularity to protect myself in the case of an attack, as opposed to a system which claims awesome security because it comes with almost no current software and nothing running by default.

    --
    If you ignore ACs because they are anonymous - you're an idiot.
  13. Re:Audio on BSD? by TheRaven64 · · Score: 5, Interesting

    OpenBSD has gone down the userspace sound daemon route, with aucat. This is much simpler than something like portaudio and provides userspace sound mixing. I generally prefer the FreeBSD approach (fully working OSS 4 compatible, with high-performance low-latency kernel sound mixing), but the OpenBSD approach (like everything else in OpenBSD) trades a little performance for a lot more security.

    --
    I am TheRaven on Soylent News