Erm, shouldn't that be "only one remote hole in the default install"?
Yes, it should. Unfortunately, media providers usually dumb down the content in order to keep the average joe from going cross-eyed by reading the article...
This means "remote root exploit" in Apache becomes "remote www-user-in-chroot exploit" for OpenBSD.
It's a very nice feature. I wrote a document on how to get CVSWeb running within the Apache chroot environment recently. I'm guessing Marc's paper is somewhat similar in nature.
Like MANY things linux, I found out after the fact that Linksys' 54g products use a different chipset (broadcom) rather than the intersil Prism chipsets of their linux supported 11b products.
you're surprised that 802.11g uses a different chipset than 802.11b? come on...
Setuid / setgid requires the program to do all it's privileged dirty work initially and then drop privileges to ensure a reasonable level of security.
This new feature in systrace reverses the whole process. Now daemons can run totally unprivileged and systrace can escalate privileges as needed for only the calls that need it.
It's not as taxing as you think it is. Yes, there is slow down, but for the huge blanket of security it adds, I think the hit in speed is offset by the benefits.
Chroot jails for each application isn't necessarily feasible. Take Apache for example.
Apache in OpenBSD 3.2 runs in a chroot jail and even the parent process is run as www:www. Some of the apache modules in OpenBSD ports were modified to be chroot-aware. Some are hopeless.
Properly configured Systrace policies can make the aforementioned broken modules work again and reduces the need for chroot.
It seems to me, from reading the release notes, that FreeBSD is running behind Linux on the support side. I am seeing things that are being released for FreeBSD that have been released for Linux, in the stable environment, for quite a while now (unfortunately I cannot provide exact dates.)
How about providing an example of what you're talking about then?
Nextel propreitary Motorola solution (boy, I wonder if the guy who chose that still has a job!)
Erm, I used to work in Motorola's iDEN division (got canned in the sweeping lay offs).
The guy definitely still has a job as Nextel has the highest average subscriber revenue of any US cellular carrier. Something like $60/month last time I checked. They have over 12 million customers. That's a hell of a lot of income. Also, it is one of Motorola's cash cows. The other sub-businesses of Motorola that are in the same division as Motorola all operated at a loss the last quarter I was there. Fortunately for Motorola, iDEN's profits were enough to bring net business revenue into profits rather than losses.
However, iDEN does have its pros and cons for Nextel.
Pros
- Nextel is mainly targeted for businesses. This generates the huge revenues. - The handsets are form meets function and sell very well. - Roam in Canada for free. Telus Mobility and Nextel have a roaming agreement.
Cons
- Capacity. It's basically a hacked up TDMA network to provide the direct connect feature. Motorola did a lot of bending over to help prolong the use of TDMA as the underlying technology and to save Nextel money in the short term. A switch to CDMA will have to come eventually. - Motorola sells all the infrastructure AND all the handsets. This is a really weird business model. All the U.S. CDMA carriers offer handsets from *at least* 3 different companies. I'm not 100% about how CDMA carriers decide who to buy infrastructure from. - Not even close to being adaptable. It will take a lot of time and effort to extend the direct connect feature to CDMA. A lot of CDMA carriers are already working on their own direct connect-like extensions.
Surprisingly enough, iDEN is available in a lot more than the U.S. It's very popular in South America. There's also an iDEN carrier in both Korea and the Phillipines.
Motorola is working on the technology to extend direct connect so it can make region to region calls. New York to Boston should be able to do this soon. You will also be able to roam with direct connect in the near future as well, which was my biggest annoyance with iDEN.
In late 2003, direct connect will be extended so you can dispatch between any two points within the U.S. (and possibly Canada).
These advancements will boost Nextels subscriber base and their average revenue as well. Direct connect is a nifty feature. It sounds kind of silly if you've never used it, but being able to radio a friend in L.A. from Chicago without flipping open your phone and by just pressing a button is a nifty feature that people will want.
My cell phone carrier (Nextel) has billing plans that have free incoming calls. I certainly think it's a god send. Unfortunately, I haven't seen any other carriers create plans like this. There are unlimited minute plans for $100 USD a month which is kind of ridiculous. I definitely agree that having to use minutes for incoming calls is very silly.
P.S. Where did you Brits learn how to spell "privelege"?:)
Re:Good article, alot of Linux-bashing though
on
Overview of the BSDs
·
· Score: 1
I fail to see the "lots of Linux-bashing" that you mention. It objectively mentions the differences between *BSD and Linux, and the BSD license vs. the GPL license. Maybe you could elaborate and point out where all the Linux bashing is in this article?
I'd like to expand on your ideas on why people use the licenses they do. GPL is for people who think software should be free (and remain so). A project which is GPL'd can still die, but the GPL dictates that if it is picked up by someone else, it remains public and free for people to use. I'm sure it's a nice comfort for programmers to know that they can sue if some corporation decides to incorporate their code into a product and sell it.
BSD, on the other hand, is for people who simply don't care what happens to their software. If it dies, another free software author can pick it up and only needs to retain the copyright of relevant portions. A company can take code and bundle it into their product and sell it. That's why Microsoft hates the GPL, but doesn't mind BSD-licensed code.
I do agree with your statement that OSS / FS communities benefit from each other. Linux has way more media exposure and has that certain ideological sexiness to it. That image has translated into new developers and thus more applications. These new applications undoubtedly filters into other free UNIX-derivatives.
I choose Linux over BSD because I'm a personal user and I need driver support for things like graphics cards from Nvidia and ATI
This is something I don't understand. Support for things like Nvidia & ATI cards is in XFree86, not Linux. If you're talking about DRI, then yes, XFree86/DRI was a VA Linux project and hence Linux has the best support for DRI. FreeBSD is starting to move forward in this department with experimental (and decently stable) DRI support for 3dfx & ATI cards. Nvidia also recently announed that they will provide official drivers for FreeBSD. Again, we see bells and whistles filtering down from Linux.
Debian because, among the Linux', it does tend to be the most stable and steadfast, with excellent quality-control.
Debian is a Linux distribution. I'm guessing you accidentally omitted "distribution" from that statement, but I'm still going to chastize you for it. "Linux" is just a kernel. The base utilities used in a Linux distribution are almost all GNU software. I hate RMS and the GNU/Linux thing, but it is a valid point.
Slashdot Mirror
$2 million is news. That's a lot of money to be out into open source.
Interesting take on the situation. However, the money from DARPA has been trickling through for over a year already...
Erm, shouldn't that be "only one remote hole in the default install"?
Yes, it should. Unfortunately, media providers usually dumb down the content in order to keep the average joe from going cross-eyed by reading the article...
But, MAN, how can he take $2,000,000 from the US Gov't and still criticize them at the same time?
Because at the time he accepted the money (over a year ago), the US was not playing oil grab.
Yes, if someone gets root, then they can most likely break out of chroot.
/var/www] (httpd)
1 04 900672827459
Thankfully, under OpenBSD even the apache parent process does not run as root:
www 2376 0.0 0.3 1120 1440 ?? Ss Wed08PM 0:05.56 httpd: parent [chroot
www 12097 0.0 0.2 1196 1008 ?? I Wed08PM 0:00.02 httpd: child (httpd)
This means "remote root exploit" in Apache becomes "remote www-user-in-chroot exploit" for OpenBSD.
It's a very nice feature. I wrote a document on how to get CVSWeb running within the Apache chroot environment recently. I'm guessing Marc's paper is somewhat similar in nature.
http://marc.theaimsgroup.com/?l=openbsd-misc&m=
Like MANY things linux, I found out after the fact that Linksys' 54g products use a different chipset (broadcom) rather than the intersil Prism chipsets of their linux supported 11b products.
you're surprised that 802.11g uses a different chipset than 802.11b? come on...
I can still exploit root on an OpenBSD machine with a crappy CGI.
/var/www] (httpd)
Really?
www 2224 0.0 0.0 1188 1760 ?? Ss 7:01PM 0:02.24 httpd: parent [chroot
But it doesn't run as root and it's chroot'd...
Good luck getting root!
Not to mention that it's less portable.
Very easy if you know what you're doing.
Hopefully will do it in SDL so it's cross platform capable.
Some SDL projects based on source code releases by commercial companies:
Doom/Doom2 - http://prboom.sourceforge.net/
Heretic - http://heretic.linuxgames.com/
Marathon 2/Infinity - http://www.uni-mainz.de/~bauec002/A1Main.html
It was corrected for accuracy.
You can grab the main .tgzs from:i 386
ftp.usa.openbsd.org/pub/OpenBSD/snapshots/
Those are snapshots of 3.2-current, not of what will be released as 3.2.
He doesn't have commit anymore.
Why would itojun (who primarily does ipv6 for OpenBSD) commit systrace work if Niels had commit?
Think about it.
Niels Provos was an OpenBSD developer until recently. He's the same guy who did the PrivSep code for OpenSSH.
/ 10 /11/0039.html
It actually appeared in NetBSD first.
http://mail-index.netbsd.org/current-users/2002
Setuid / setgid requires the program to do all it's privileged dirty work initially and then drop privileges to ensure a reasonable level of security.
This new feature in systrace reverses the whole process. Now daemons can run totally unprivileged and systrace can escalate privileges as needed for only the calls that need it.
It's not as taxing as you think it is. Yes, there is slow down, but for the huge blanket of security it adds, I think the hit in speed is offset by the benefits.
Chroot jails for each application isn't necessarily feasible. Take Apache for example.
Apache in OpenBSD 3.2 runs in a chroot jail and even the parent process is run as www:www.
Some of the apache modules in OpenBSD ports were modified to be chroot-aware. Some are hopeless.
Properly configured Systrace policies can make the aforementioned broken modules work again and reduces the need for chroot.
OpenBSD's apache already does this by default in 3.2.
Even the parent process runs unprivileged and everything is in a chroot jail.
Actually, it does have accelerated nvidia drivers.
I think you mean DRI/hardware OpenGL.
It seems to me, from reading the release notes, that FreeBSD is running behind Linux on the support side. I am seeing things that are being released for FreeBSD that have been released for Linux, in the stable environment, for quite a while now (unfortunately I cannot provide exact dates.)
How about providing an example of what you're talking about then?
Wow, another impoverished nation wants to use a free operating system rather than Microsoft Licensing fees. Who would have thunk it?
Wow an old version of OpenBSD is being EOL'd. I don't see how this is even remotely news worthy. This happens every release.
Then don't use OpenBSD.
Nextel propreitary Motorola solution (boy, I wonder if the guy who chose that still has a job!)
Erm, I used to work in Motorola's iDEN division (got canned in the sweeping lay offs).
The guy definitely still has a job as Nextel has the highest average subscriber revenue of any US cellular carrier. Something like $60/month last time I checked. They have over 12 million customers. That's a hell of a lot of income. Also, it is one of Motorola's cash cows. The other sub-businesses of Motorola that are in the same division as Motorola all operated at a loss the last quarter I was there. Fortunately for Motorola, iDEN's profits were enough to bring net business revenue into profits rather than losses.
However, iDEN does have its pros and cons for Nextel.
Pros
- Nextel is mainly targeted for businesses. This generates the huge revenues.
- The handsets are form meets function and sell very well.
- Roam in Canada for free. Telus Mobility and Nextel have a roaming agreement.
Cons
- Capacity. It's basically a hacked up TDMA network to provide the direct connect feature. Motorola did a lot of bending over to help prolong the use of TDMA as the underlying technology and to save Nextel money in the short term. A switch to CDMA will have to come eventually.
- Motorola sells all the infrastructure AND all the handsets. This is a really weird business model. All the U.S. CDMA carriers offer handsets from *at least* 3 different companies. I'm not 100% about how CDMA carriers decide who to buy infrastructure from.
- Not even close to being adaptable. It will take a lot of time and effort to extend the direct connect feature to CDMA. A lot of CDMA carriers are already working on their own direct connect-like extensions.
Surprisingly enough, iDEN is available in a lot more than the U.S. It's very popular in South America. There's also an iDEN carrier in both Korea and the Phillipines.
Motorola is working on the technology to extend direct connect so it can make region to region calls. New York to Boston should be able to do this soon. You will also be able to roam with direct connect in the near future as well, which was my biggest annoyance with iDEN.
In late 2003, direct connect will be extended so you can dispatch between any two points within the U.S. (and possibly Canada).
These advancements will boost Nextels subscriber base and their average revenue as well. Direct connect is a nifty feature. It sounds kind of silly if you've never used it, but being able to radio a friend in L.A. from Chicago without flipping open your phone and by just pressing a button is a nifty feature that people will want.
My cell phone carrier (Nextel) has billing plans that have free incoming calls. I certainly think it's a god send. Unfortunately, I haven't seen any other carriers create plans like this. There are unlimited minute plans for $100 USD a month which is kind of ridiculous. I definitely agree that having to use minutes for incoming calls is very silly.
:)
P.S. Where did you Brits learn how to spell "privelege"?
I don't see how Linux needs something scaleable.
It all comes down to (mostly) Linus anyway.
The addition of the BSD kernel
Sorry, but it uses a MACH kernel.
I fail to see the "lots of Linux-bashing" that you mention. It objectively mentions the differences between *BSD and Linux, and the BSD license vs. the GPL license. Maybe you could elaborate and point out where all the Linux bashing is in this article?
I'd like to expand on your ideas on why people use the licenses they do. GPL is for people who think software should be free (and remain so). A project which is GPL'd can still die, but the GPL dictates that if it is picked up by someone else, it remains public and free for people to use. I'm sure it's a nice comfort for programmers to know that they can sue if some corporation decides to incorporate their code into a product and sell it.
BSD, on the other hand, is for people who simply don't care what happens to their software. If it dies, another free software author can pick it up and only needs to retain the copyright of relevant portions. A company can take code and bundle it into their product and sell it. That's why Microsoft hates the GPL, but doesn't mind BSD-licensed code.
I do agree with your statement that OSS / FS communities benefit from each other. Linux has way more media exposure and has that certain ideological sexiness to it. That image has translated into new developers and thus more applications. These new applications undoubtedly filters into other free UNIX-derivatives.
I choose Linux over BSD because I'm a personal user and I need driver support for things like graphics cards from Nvidia and ATI
This is something I don't understand. Support for things like Nvidia & ATI cards is in XFree86, not Linux. If you're talking about DRI, then yes, XFree86/DRI was a VA Linux project and hence Linux has the best support for DRI. FreeBSD is starting to move forward in this department with experimental (and decently stable) DRI support for 3dfx & ATI cards. Nvidia also recently announed that they will provide official drivers for FreeBSD. Again, we see bells and whistles filtering down from Linux.
Debian because, among the Linux', it does tend to be the most stable and steadfast, with excellent quality-control.
Debian is a Linux distribution. I'm guessing you accidentally omitted "distribution" from that statement, but I'm still going to chastize you for it. "Linux" is just a kernel. The base utilities used in a Linux distribution are almost all GNU software. I hate RMS and the GNU/Linux thing, but it is a valid point.
Twice as good as what?
I can install both NetBSD and OpenBSD from a single floppy.