OpenBSD 4.2 has been released. “We are pleased to announce the official release of OpenBSD 4.2. This is our 22nd release on CD-ROM (and 23rd via FTP). We remain proud of OpenBSD’s record of more than ten years with only two remote holes in the default install.” Update: A what’s new article at ONLamp.
How do they achieve this? Is it just very good practices and programming, or is it due to a lack of rich modern features?
Sorry, but please tell what “rich modern” features you expect that are related to security holes.
Edited 2007-11-01 23:49
You’re misunderstanding. I don’t know anything about OpenBSD. I don’t know what’s available for it.
I’m asking is this security record is due to them being very good at making the operating system, or if its due to there being less features than other operating systems.
It may be as feature rich as others, I just don’t know, so that’s why I’m asking.
Good programming practices and code audits.
And probably a few other things I don’t know about.
Don’t forget the “secure by default” configuration—“out of the box,” most services are off or have been reconfigured and/or rewritten with security in mind.
“And probably a few other things I don’t know about.”
Good documentation inside the source files, man pages, handbook and FAQ.
The also tend to add features which have been well tested; take SMP for example. Sure, OpenBSD could go off, and fine-grain everything under the sun, but the net result could be a huge mountain of bugs being exposed due to these changes.
What I see in OpenBSD is a gradual move forward. Rather than add a tonne of features and sort out the issues later, things are improved gradually. Although I’d hate to use this as an example, Windows Vista is a prime example of a tonne of changes being crammed into a single release then rushing around like headless chickens afterwards trying to fix up thing as the wheels fall off.
Gradually moving forward is how it SHOULD be done.
I love OpenBSD…
Same, I do find i funny when people deduct points off posts because of some personal vendetta against the original poster.
Welcome to the club, you’re in good company.
Accidentally I cant mod your comment up, for god knows what reason.
They rewrite every thing with best security practices and even improve on poor design as the need arises (as in the case of Xorg I believe it was)
Stringent code auditing and a genuine approach to secure design.
Like ’em or hate ’em (for their personalities), you have to respect their work.
The keyword here is ‘default install’… a default OpenBSD install is really quite different to, say, a default Ubuntu Linux installation, or a default Windows Vista install..
I do love my OpenBSD though. It’s just so clean..
“The keyword here is ‘default install’… a default OpenBSD install is really quite different to, say, a default Ubuntu Linux installation, or a default Windows Vista install.. “
Please don’t confuse OpenBSD (or FreeBSD, NetBSD) with a Linux distribution. OpenBSD is “just” an OS, nothing more. If you install it, you have installed an operating system, nothing more, nothing less. In most cases, you are required to install additional software for the purposes you want to use your system, maybe as a mail server, a web server, a rescue system, a development system, or an “all possible purposes one size fits all” desktop workstation. You decide what’s going to be installed.
If you want a BSD OS bundled with additional software (in the way most Linux distributions are), you will have to use PC-BSD or DesktopBSD.
That being the case, I’d have to imagine that it’s unfair to compare it to Linux as most distributions are porked up with applications. If all the apps and just the Linux OS was installed, I would expect it to have a far ‘better’ security record for a default install too.
“That being the case, I’d have to imagine that it’s unfair to compare it to Linux as most distributions are porked up with applications. If all the apps and just the Linux OS was installed, I would expect it to have a far ‘better’ security record for a default install too.”
I completely agree here. Some Linux distributions, especially the ones that are source based and follow the minimalistic (or, to be more exact, the well-defined content) approach, could be used for a valid comparison. They may only contain the Linux kernel and a certain userland.
As you may know, OpenBSD follows the concept of dividing between the OS and afterwards installed applications, you can see this in the directory substructures where application files are located. In Linux is not such a sharp differentiation, I think.
The parts of the OpenBSD OS do not contain software not audited by the OpenBSD team, so there’s no “third party risk” within the OS itself. Such risks may be contained in additional software.
If you want to compare Linux to BSD, you should, for example, compare Ubuntu to PC-BSD or SuSE to DesktopBSD – in the default install, of course.
The word ‘operating system’ doesn’t really mean anything. What is technically an OS we mostly call a kernel these days. OpenBSD is a distribution of an operating system (an application to manage hardware resources plus drivers) and a small set of extra tools (a compiler and ssh-daemon, for instance), it’s just far more minimal than most mainstream Linux distributions – but it’s the same basic principle.
Err. It comes with gcc and a mail server AFAIK. Vi, too… and a web browser! Anyways, that paragraph could just as well be applied to a Debian installation, except that you select some of the packages at install time… which doesn’t really make much of a difference.
Anyways, this is semantics. Have a good day!
“Anyways, this is semantics.”
Sure, I agree with you, the terminus technicus “OS distribution” can be applied to OpenBSD, too. As we agree, OpenBSD follows a more minimalistic approach regarding what’s included in the basic install. For example, media players, instant messengers and games are not included by default. I think OpenBSD’s goal is that only software is provided in the basic install that has been checked by the OpenBSD team to be secure by default.
There are some criteria defined in DIN 44300 what’s an OS: a sorted collection of means (kernel system, programs, libraries etc.) that:
– administrate and control the hardware,
– provides user interfaces,
– provides standardized and documented programming interfaces (editor, assembler, compiler, linker included here),
– protects against external manupulation and abuse,
– executes and monitors programs and handles their parallel execution,
– provides tools for harddware and software care, installation, update and deinstallation of software, error analysis and damage elimination.
This can be applied to Linux distributions, too, allthough most of them provide much more functionalities in the basic install. Same is true for Solaris which leaves the user with a highly functional system after first install. Instead, OpenBSD lets select the user what he wants to be installed afterwards.
The difference is in the clear separation between the OS as shipped by the OpenBSD Project and the third-party apps that indivuals can install on that OS.
I don’t know the specifics on directory layout for OpenBSD, but the theory is the same for all the BSDs: / and /usr are the OS as shipped by the Project. /usr/local (possibly /opt) is for user-installed apps. The two can be physically separated using disk partitions. / can be mounted ro. You don’t have to worry that installing an X app will require upgrading half your OS install. And you don’t have to wait 6+ months to get the latest apps (or fuss with backports repositories that may or may not be officially supported).
Linux distros are nothing more than large collections of packages shipped together. There’s no such thing as a “base OS” or “core OS” for any of the Linux distros. There’s no separation between the OS and the apps. Everything is an app package. Installing a X app can require installing/upgrading half your OS. If you want the latest version of an app, you have to upgrade your entire distro, or fuss around with 3rd-party repositories and backports repos, and wander into the land of unsupportedness.
Sure, you may have access to 25,000 packages with a Linux distro. But that’s probably fewer than 12,500 actual applications due to the way the apps are split into sub- and lib-packages.
There’s a very big difference between a BSD OS and a Linux distro.
If you look here:
http://openbsd.org/faq/faq1.html#Included
You will see that almost everything you mentioned IS included in a default install…
“…mail server..” – sendmail
“..a web server..” – Apache 1.3
“..a rescue system..” – Boot from CD and select Shell
“..a development system..” – Comes with a C and Perl compiler
“..all pourposes.. ..desktop workstation..” No such thing anywhere, though it does come with a web browser and X.
“You will see that almost everything you mentioned IS included in a default install…”
I see, thank you for this advice. The default install makes OpenBSD a good server for basic server functionalities (FTP, web, mail) and a development system, as long as you stick with the basic editor, but the compiler collection and the debugger are provided. For other uses (desktop environment, media player, gaming etc.), additional software needs to be installed.
Regarding the “all purposes one size fits all” approach:
“No such thing anywhere, though it does come with a web browser and X.”
Most famous Linux distributions try to reach this goal, meaning the default install contains a lot of software. A similar approach can be seen in PC-BSD. The downside: Sometimes much disk space is wasted for software you never use… but hard disks are big enough today. 🙂
By simply denying a lot of security issues.
http://pwnie-awards.org/winners.html#lamestvendor
By simply denying a lot of security issues.
Looks like they accepted this one as a vulnerability at last:
http://www.techworld.com/security/news/index.cfm?newsID=8278&pagtyp…
Did they deny any other issues?
Yeah, who you gonna trust? The companies who makes money and fame from hyping their bug findings or the guys who may not want to admit it?
I’m glad OpenBSD released 4.2 and I enjoy their secured PF in my server FreeBSD servers.
Congrats OpenBSD guys!
Edited 2007-11-02 00:06
Same here, went from IPFW to PF and not looked back since.
Ordered the CD set this morning because I want to upgrade my current firewalls and figured they deserve my contribution.
Now waiting until the FreeBSD 7 CD set is available so I can order those too.
This what I love about BSD, they port each others code when they need it, and they don’t flame each others.
I love that PF was made so easy to manage for average user and designed with security in mind.
I love that PF was made so easy to manage for average user and designed with security in mind.
Have they come up with some sort of script or front end to make writing the pf.conf easier? I know it’s a very secure firewall, and the syntax is easier to understand than Linux’s iptables, but when I used OpenBSD I was pretty frustrated at having to understand so much technical detail just to get a basic firewall up and running.
There is a default pf.conf to edit, the pf FAQ explains it. There will never, ever, be simpler.
OpenBSD is now releasing complete iso images now?
We don’t have to order CDs or install via FTP?
Great news if true. Is Java still a pain on OpenBSD?
Java sucks everywhere, don’t use it.
Just exactly how does Java suck? You mean companies like amazon, ebay, wal-mart etc run their entire online businesses under the Java platform and they suck too? You mean products like http://www.eclipse.org, http://www.netbeans.org or http://www.aptana.com are just some useless toys companies built for no reason?
Exactly what doesn’t suck in your opinion?
You’ve obviously never tried to get it to run on a platform. Porting Java is like performing anesthesialess appendectomies, not only is it deeply painful, the good for nothing patient fights you every inch of the way.
Just because random people got suckered into using a non-portable, “portable,” language does not mean the language is suddenly any good.
If Java were really portable, it wouldn’t be so bad, but even between Java on different platforms not all software functions properly.
I guess thats why its the de facto standard for enterprise development?
> Exactly what doesn’t suck in your opinion?
It’s a OpenBSD fanboy.
This kind of fanboy think that gcc is bloated, C++ bloated and useless, … and java sucks everywhere.
You don’t need to be a fanboy of an operating system to see such things, everyone with a sane mind will see it at once. Java e.g. doesn’t suck everywhere, it’s just designed to suck.
Java sucks because it’s heavy and bloated. See all system resources you need to execute your JSP web site.
Wow so defensive. I love java. I just heard
it was hard to get working on OpenBSD..
FreeBSD has its own port(I’m not too happy with it)
Good thing I didn’t ask about Flash-9
Java is really sun problem, they should make work flawlessly in BSD.
OStourist, the people that were so “defensive” were not responding to you. They were responding to a troll that got (appropriately) modded down to -2. 🙂
hey there I was responding to the troll too.
Somehow my reply got put in the wrong place
🙂
Java sucks everywhere, don’t use it.
Thank you for your constructive and highly on topic comment!
But the fact is that people do use java, in spite of what you think. So people need it to work on OpenBSD, otherwise OpenBSD simply isn’t an option.
Yes.
Yes.
And don’t forget kids, for those of you doing a fresh install, to email in your dmesg file so they can see how good people’s systems are working!
I wish there were more material than the handbook and FAQs on the web site, something easier to read, well explained, in the lines of FreeBSD (or some of the easy-to-use Linux distros). But I guess they don’t care that much about the average Joe. I just hope they don’t laugh at us with viruses on Windows.
Myself being an OpenBSD user, would say there is a sense of elitism amongst the highly skilled OpenBSD users, of which I am not at their levels, but they are also more introverted as well, I can be that way myself. With how I use it all the time and everything, for whatever reason, I can’t be bothered to write articles to post online with How-To’s for very basic and starter stuff for people wanting to try it, but written assuming zero level of knowledge, maybe even a bit of hand-holding, to help people get into probably the most technical OS you come across. However I got no problems spending hours to teach someone how to use this stuff, so I do help if someone asks. But I would suggest openbsd101.com as another starting point, and there is signing up for the OpenBSD Newbies mailing list at http://mailman.theapt.org/listinfo/openbsd-newbies. Plus there is also the Absolute OpenBSD book as well. Although it is 4 years old, there is still very much some stuff to learn from it, and I talked with the author, and he said he will be doing an updated version of the book but there is no date for any of that stuff yet.
But in blunt honesty, I am in full agreement of your grip about OpenBSD learning material, but at the same time the OS is developed for servers, with some desktop features implemented into the system. It is developed with a focus in mind, they are not hoping to get people who want to play with it at home. I could be going way ahead of myself here, but I think they are not concerned about playing the numbers game of counting how many users they have. If people like their software, fine, if people don’t, fine. So while I do understand you, with an OS who’s first priority is security, you can’t expect them to cater to new people. I can’t speak for the OpenBSD developers, but I don’t believe simplicity and security can work together, it is one or the other. So all I can say is grin and bare it and read up somehow, or use FreeBSD.
If you really want to get into OpenBSD, and want a gentle but thorough introduction, I recommend Absolute OpenBSD by Michael Lucas. Yes it’s a bit outdated, but much of the info is timeless. Even if you don’t run OpenBSD, it’s a good education on all sorts of topics. I found it a very interesting read.
It’s not a web book, but you can get a feel for it here and decide if it’s worth purchasing. (Or you can get an old copy off Amazon, or maybe even at your library.)
http://www.absoluteopenbsd.com/
I’ve got this book too. I’d say it’s good, but not great. It’s a little fluffy. Gotta love the Theo non-endorsement endorsement though, “Michael Lucas has written a book about OpenBSD. This is it.” (paraphrasing)
You gotta remember that Theo clearly states that noone should need a book if they can read, because there is the FAQ and the man pages.
Reading a book is usually more comfortable than reading the same amount of text on a computer, though.
Impressive list of fixes:
http://www.openbsd.org/plus42.html
I hope most linux distros have implemented especially the Xorg fixes.
I hope most linux distros have implemented especially the Xorg fixes.
If they where submited upstream they should end up in all Linux distributions sooner or later. But what fixes are you talking about? I could only see a few and none of them seemed very important, except one crash fix.
But what fixes are you talking about? I could only see a few and none of them seemed very important, except one crash fix.
Did you use CTRL+f to switch to every occurrence of “Xorg”?
STABILITY FIX: Fix a divide-by-zero in Xorg(1) which can be triggered by a malicious client.
You apparantly missed this one:
SECURITY FIX: Multiple security fixes for X.org applied.
I was really looking forward to this release and particularly Xenocara, because the old x.org didn’t work well with my Intel graphics.
I like the secure by design principle, high code quality and good documentation a lot, although Linux (I’m using Archlinux) seems to be faster and with features like tickless kernel it’s probably better suited for mobile usage, but there have been many improvements in OpenBSD as well in this regard.
I doubt that this release will make me switch, but I’m seeing constant improvements here.
Congrats to the devs for a another wonderful OpenBSD release.
can’t wait any longer for my OpenBSD CD’s to arrive.
And for firewalls and targeted-purpose servers, it’s great. Well-documented, most things are either where you expect to find them or not too hard to find. Man pages are all I’ve ever needed (well, those and the PF users guide).
I like their emphasis on “correctness”, making their code as simple and clean as possible. And PF is a thing of beauty; I’d ditch iptables in a couple nanoseconds if there were a Linux port (I may have to look for a config file translator at least…)
That said, I’m not going to run my PVR or digital audio workstation on OpenBSD (though, in the OpenBSD devs’ minds, this is seemingly due to most application software focusing on Linux, and maybe there is some merit to that sentiment). I’ve found getting a general-purpose desktop harder to get going on OpenBSD than on Linux (ArchLinux here also – is there a theme there?), though this is improving.
Overall performance is also not a primary concern, though they have made strides in networking recently, and OpenBSD isn’t so slow that I’ve noticed. Firewalls I’ve made out of castoff hardware have outperformed commercial purpose-built devices our IT guys have bought.
If you want the latest 3rd-party apps from the ports system, you have to keep up with the snapshot releases – they generally don’t backport except for security reasons. And even then the 3rd-party app support won’t be as fresh or numerous as what you get in Arch or Ubuntu, or even FreeBSD. I understand, though; there are only so many devs and so much time, and they prefer to focus on the quality of the core product. Despite that the ports situation too is improving. [And you are of course free to make ports yourself, or just download tarballs and compile.]
Yes, there are some egos involved in the project, but I don’t get into online sparring with any of them, so it doesn’t bother me. And I can’t argue with the results.
Anyway, for me it comes down to using the right tool for the job. It’s so easy (if you are familiar with your hardware) and quick to install, you might as well try it if you have a spare box or VM.