In the following article, DistroWatch explores OpenBSD, an operating system built from the ground up with security in mind. Though not suitable for every taste, OpenBSD will no doubt save many system administrators gray hairs. Even for those not running a server, this is a very stable and powerful OS and you don’t necessarily need to be paranoid (though it helps) to enjoy using it.
OpenBSD – For Your Eyes Only
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Nice review.
Is OpenBSD really built for the ground up ? I was under the impression it was a fork of NetBSD due to a disagreement (as usual) or am I just spliting hairs?
That’s a great article. Gotta give OpenBSD a try one of these days.
Is OpenBSD really built for the ground up ? I was under the impression it was a fork of NetBSD due to a disagreement (as usual) or am I just spliting hairs?
Technically, you’re correct, OpenBSD was a fork of NetBSD, however, very little of the original NetBSD code remains. Several important components of OpenBSD have been completely redesigned with security in mind. Additionally, a complete line-by-line security audit was performed on the source code shortly after the fork.
So, although OpenBSD wasn’t really built from the ground up, they’ve built their fair share of it.
OpenBSD was not built from the ground up, it was forked from NetBSD.
Not only was OpenBSD a fork of NetBSD, but it draws many features, bug fixes and enhancements from it. The USB subsystem for example was recently synced up with NetBSDs (FreeBSD and DragonFly did this as well; Free from Net, and DragonFly from Free), and many platform specific features and some of the new SMP code now in OpenBSD -CURRENT comes from NetBSD.
FWIW.
As far as I can tell, the various *BSD watch each other and decide whether or not to incorporate new features from each other in their own source trees.
But I’m no expert – I only recently installed FreeBSD 5.0 on my PC, which then had to go into storage due to a virulent neurovirus called the “Property Boom”, and I’ve never yet installed OpenBSD, much as I would like to.
I think it would make an excellent article for OSNews to have a talkfest with the various *BSD leaders about their relationship to the rest of the *BSD world.
Wesley Parish
Thanks for clearing that up for me
I don’t follow BSD that much, so I was unsure…
Thanks again!
It’s the BASE install. Usually the problems with servers are the services that are running on the OS. Once you actually utilize OpenBSD and customize it to your needs its ‘security’ isn’t all that secure. But I love OpenBSD and I love the security features it has and the security projects it has created. IT’s install is incredible easy. Easier then frebsd in my opinion
thanks
Like an other poster said, it is based on NetBSD. Give some credit where credit is due. I use it for a server but would never use it for a desktop. However, in situations where you don’t have the luxury of one computer to serve your web pages and mail and another for the desktop, I think a linux distro like Fedora Core 2 or Suse is a better choice.
Sean
Mentioning grey hair…this can happen with other OS:
http://slashdot.org/articles/04/07/07/025216.shtml?tid=109&tid=133&…
😉
I was under the impression it was a fork of NetBSD due to a disagreement (as usual) or am I just spliting hairs?
I’ve seen several benchmarks of NetBSD and OpenBSD and it simply is not the same OS anymore. They have really branched off in regards to various design considerations.
However, in situations where you don’t have the luxury of one computer to serve your web pages and mail and another for the desktop, I think a linux distro like Fedora Core 2 or Suse is a better choice.
I’d totally agree. BSD is ok for tinkerers, servers (and OSX) but linux is more polished in my view. My OpenBSD default install was missing font libraries so everything looked whack. OpenBSD really takes some tweaking as a desktop. But that installer is great other than the unintelligent fdisk. You can do an ftp Install of OpenBSD in minutes. Only limited by the size of your inet pipe. To be fair about the desktop, OpenBSD is probably not aiming to have the latest GUI installer and coolest KDE goodies.
Additionally, a complete line-by-line security audit was performed on the source code shortly after the fork.
In my view it’s more secure than FreeBSD and NetBSD and most linux distros. (Adamantix, Immunix, SE mods, Hardened Gentoo might be exceptions.) They have done some auditing but there are still occasionally holes. It’s true there’s only been one pre-authentication remote root in 7 years, but in –CURRENT. If you look at older releases there have been more holes. Also if you are offering shell account or ftp access you should note that there have been local roots and DoS (denial of service). One other thing to note is that most services are disabled other than ssh. So as soon as you activate sendmail and proftpd or whatever it ships with, then you have potential holes. In credit to OpenBSD, they have all sorts of new security goodies to jail and cage applications. They essentially sandbox the apps. But you can do the same in linux and freebsd to be perfectly fair. Pre-authentication remote roots are only one component of a secure system. I’m not saying OpenBSD is bad, I’m just saying that one needs to patch and understand the risks involved. There is no magic bullet, and unfortunately security is often inversely proportional to usability.
Given OpenBSD’s design, it may be possible to run a server as –CURRENT and be safer or just follow patches good. Seems like with linux, one doesn’t want –CURRENT on a server, but with OpenBSD it’s probably different. I personally run Slack 9.0 with patches (and soon chrooting) but OpenBSD is very tempting.
I think it would make an excellent article for OSNews to have a talkfest with the various *BSD leaders about their relationship to the rest of the *BSD world.
Yeah that’s what we want, Matt Dillon and Theo de Raadt in the same room.
(It would be a nice article though)
If you look around the Internet, you’ll see that of any open source development project, OpenBSD is the most closed. There are no public forums where people discuss design or advances in OpenBSD.
The cynical would say that is because they don’t – they just copy FreeBSD or NetBSD code (AMD64, USB, SMP, etc.)
If you look around the Internet, you’ll see that of any open source development project, OpenBSD is the most closed. There are no public forums where people discuss design or advances in OpenBSD.
Their mailing lists are quite active. FreeBSD don’t have forums either, they have mailing lists.
The cynical would say that is because they don’t – they just copy FreeBSD or NetBSD code (AMD64, USB, SMP, etc.)
It would be more fair to say the BSDs all share code. The other BSDs have also taken some of OpenBSD’s work, p.e. OpenSSH, PF, and lots of security enhancements.
The very nice thing about the BSDs is, that they all have their own focus, but they can benefit one from another. That’s exactly what the BSD license is about.
Since when is OpenBSD stable? I can remember kernel panics mentioned in http://bulk.fefe.de/scalability/ and you can very easily bring the system down to its knees. I have tested the following things multiple times, so success guaranteed:
– I’ve run a simple app simulating a memory leak (while true; malloc; done). When OpenBSD runs out of memory, the system simply stops. Offending process not killed, no CPU usage (all processes including sshd and getty’s appear STOP-ed).
– Then I did the fork test with a simple sh script. That was not a problem, but instead the following command, to clean up this mess, brought down the system to single user mode:
while true; do kill `ps aux |grep sh |grep test |cut -b 8-16`; done
Or something like that, I have written it down somewhere but cannot find the note right now.
And oh, if you have installed KDE from the precompiled 3.5 packages, and want to webbrowse in Konqueror, you constantly get errors that “kded” crashed. Very annoying.
Since when is OpenBSD stable? I can remember kernel panics mentioned in http://bulk.fefe.de/scalability/ and you can very easily bring the system down to its knees.
here’s one exploit found by noir:
#include <stdio.h>
#include <sys/types.h>
#include <sys/sem.h>
#include <sys/ipc.h>
int
main()
{
int i;
for(i = 0; i < 0x40; i++)
semop(i, (struct sembuf *) NULL, 0);
}
didn’t openbsd also have a simple ipv6 exploit found by Georgi Guninski? simple to use, and simple in concept, not to take away from the genius of Guninksi.
“BSD is ok for tinkerers, servers (and OSX) but linux is more polished in my view.”
In what world do you live in?
I don’t know about Open & NetBSD, but I can tell you that there isn’t one single Linux ditro that can match the well organized, simple and clean FreeBSD. From the docs (think about the Handbook) to the way directories are structured, everything is done in a coherent and logical way. I just can’t say the same about the one zillion Linux distros around! There’s only one thing about Linux that I’d like to see in FreeBSD: good hardware support!
If you like Linux, great! But please don’t come saying that it is more polhished than a *BSD.
like the previous poster suggested – the clain of only 1 remote exploit needs to be looked at – that applies to a default install with no services additionally swicthed on. it also does not include *local* exploits.
if you are considering openbsd you should be aware that previously its performance was not its main priority (although they are working on it):
http://bulk.fefe.de/scalability/
havign said that – credit where its due – ity was the first with ipsec/ike and many other crypto and security technologies. they do a very hard job and i’m gald they do.
Perhaps I should start copy/pasting all of the known exploits/bugs/weaknesses in your favourite operating system? Rest assured that they’ll be far more numerous than the OpenBSD bugs.
Oh and another thing.
Of course *local* exploits aren’t as important as remote exploits. Because only an idiot (who shouldn’t be a sysadmin in the first place) gives access to someone they don’t entirely trust.
Next thing you’ll ramble about the infamous ‘But they can still steal your harddrive’ .. Now, excuse me while I go and roll my eyes for a while. (as in while( 1 ) roll_eyes(); )
there is a serious point to IT security and the prvious post. it security can’t be “installed”. we need to prevent people from thinking “ah product X will give me security”. openbsd as used without understanding is not a useful tool.
it is better to get people to think sceptically and warily, than to encourage a rose-tinted view of these things. and of course, the openbsd people themselves take this view, … i speak as someone who has a tiny bit of code in there too….
Oh and another thing.
Of course *local* exploits aren’t as important as remote exploits. Because only an idiot (who shouldn’t be a sysadmin in the first place) gives access to someone they don’t entirely trust.
Typical OpenBSD bullshit. Combine a remote hole (not resulting in privilege escalation) on an application maintained or not by OpenBSD and a local root hole and you’re toasted as well, while you didn’t give any local access to anyone.
You’re a dangerous person, to dare say such things. I might have agreed that remote vulnerabilities are more critical if you didn’t gave that reason.
>If you look around the Internet, you’ll see that of any open >source development project, OpenBSD is the most closed.
>There are no public forums where people discuss design or >advances in OpenBSD.
I guess this fancy, new thing called “mailing lists” have completely passed you by, eh?
It’s a revolutionary new approach where people subscribe to something called a “mailing list” on wich they can “post” (ie send email) and discuess various topics with eachother. OpenBSD, and virtually every other OSS project in existance, have such “mailing lists” that anyone can join. Ah, todays technology, is there anything it can’t do?
> The cynical would say that is because they don’t – they
> just copy FreeBSD or NetBSD code (AMD64, USB, SMP, etc.)
The people who have a clue would say that you’re stupid and uninformed.
<em>Typical OpenBSD bullshit.</em>
That’s the spirit! More wide, sweeping generalizations everyone. It’s great fun for the whole family.
All OpenBSD users are idiots, all Linux users are pimple-faced, cellar-dwelling, freeloading geeks, all blond women are easy and stupid, all arabs are smelly and kill little children for fun.
See, wasnt that fun?
Yes…an OS installation is only as secure as its administrator, but OpenBSD definitely gives an administrator a leg up over typical Linux distros, for example. It’s true that when you start turning services on you lose some of the security of the default install, but the point is that most other OSes leave dozens of services on by default. Wouldn’t you rather start with a really secure but unuseable default install that you have to loosen up over a very insecure but useable default install that you have to tighten up?
I don’t think any serious OpenBSD user will tell you not to patch or carefully tune your firewall and file permissions.
Every admin worth a crap knows that you should take the layered “onion” approach to security… safe policies, draconian firewall, strict user permissions, daily checks for patches to ALL software used, never run software you don’t need, use intrusion detection software such as Snort and TripWire, etc.
“Perhaps I should start copy/pasting all of the known exploits/bugs/weaknesses in your favourite operating system? Rest assured that they’ll be far more numerous than the OpenBSD bugs.”
I would not be so sure that you can write a shell script with which you can bring down a Linux, FreeBSD or NetBSD system.
FreeBSD, Linux, and NetBSD default installs can all be brought down by a shell script as well.
I found Linux to be a good choice as a beginner, because it has a nice installers and a lot of nice software preinstalled.
But when I digged deeper in this world I found NetBSD more suiting to me. It just feeled more clean and very fast, whereas my Impression of linux was that its the opposite (this is a few years ago). Maybe this is not about the Linux kernel but about the distribution thow.
Well, I started to look into NetBSD because my Mac was not running Linux(tried some distributions) very well.
NetBSD on Desktop:Sure you have to spend some hours maybe to setup a Desktop (depending on your knowledge) but if you have done this, its just a great system.
I have two systems that are running NetBSD(fulltime) very fine.
A Laptop IBM R40 for JAVA Development mainly (XFree86+KDE3.2.x,JAVA(NETBEANS/TOMCAT)/POSTGRESQL/Domino Client running using Wine)
A PowerMac 7300 (Apache/PHP/PostGreSQL/MYSQL)
Things that I felt really in love with on NetBSD is pkgsrc and its geeky touch.
And I sure missed something
Test it. It really rocks.
I tried FreeBSD once and it didn’t work. I never tried OpenBSD but I will for sure give both a try again.
And oh, if you have installed KDE from the precompiled 3.5 packages, and want to webbrowse in Konqueror, you constantly get errors that “kded” crashed. Very annoying.
You know I had a lot of seg faults and other errors with OBSD ports and packages. In and of itself not suspicious, but most linuces and FBSD didn’t have this issue. I didn’t try NBSD much. In fairness to OBSD, I hear they went through and cleaned up a bunch of ports, as FBSD did lately too. I still like OBSD, but prefer FBSD at this point.
The above comments about NBSD are similar how i feel about FBSD. It simply works for my hobbyist uses. If I solve 3 app problems, I may stop running linux as my main desktop.
What about (linux) binary emulation… I am not sure but I thing most BSD have some feature like this…
I for example run without problems the newest JAVA & TeamSpeak on NetBSD through COMPAT_LINUX
PS:I am just exited if COMPAT_DARWIN will be useable at some time
http://hcpnet.free.fr/applebsd.html
All BSD’s take code from each other, and all know they do it. They aren’t competing with eachother at all, all have different focuses. One BSD isn’t better than the other, they use most of the same stuff
What about (linux) binary emulation… I am not sure but I thing most BSD have some feature like this…
One app was WINE. According to several people in the WINE forums, it is heavily tied to linux calls. I don’t know why this is, or how to fix it. But according to them, either WINE or FBSD developers may eventually port it over. I may have to wait a while. Might as well learn c in the interim and do it myself.
One other app was instant AOL. I can live without it, and i bet it’s an easy fix anyway.
A third app was cdrtools aka cdrecord. Always errored and burned coasters on FBSD 5.0. Works flawlessly in linux. It’s part of the FBSD ports and should work fine. FBSD has a native burncd but i don’t believe it works with USB CDRW.
I had a couple of other app issues as well. Most are probably fixable, I’m still digesting the FBSD handbook currently. As far as the Linux ABI, the handbook says that about 90 percent of apps will work in it. With work I can possibly tweak or port the other 10 percent. I will have to tinker with the ABI a bit more when I get time.
One day I will complete my defection to BSD. 🙂
nice, but too bad it doesn’t work…
(OpenBSD-CURRENT on i386)
Doesn’t work.
OpenBSD/i386 3.5
nice, but too bad it doesn’t work…
(OpenBSD-CURRENT on i386)
Your OpenBSD is once again Free, Functional, and Secure ™!
I have a very good remote root 0 day, but unfortunately the margin is too small to contain it.
http://wideopenbsd.org << church of the painful truth
http://www.bugtraq.org << read about openbsd ownage
http://www.seclists.org << learn to hack openbsd
http://h0h0.com << learn more about openbsd lies
http://www.guninski.com << god of openbsd (and aix too!)
Hmm. cdrecord works fine on my R40 with the IBM DVDReader/CDBurner and my dual PIII box(some noname ATAPI Burner).
I am using Wine to get Lotus Client running. Its a HUGE Windows Application. So Wine worx very well on NetBSD as native application, I assume.
Hmm. Dont know about USB Burners since I have none. But I can say that USB is working very well with NetBSD even on macppc with a Standard VIA USB2 controller…
Remember to use the ports system of your favorite BSD. It can help you to avoid a lot of stress.
Linux is more ploished. Here are some facts to keep in mind.
1) Linux = kernel
2) Linux + GNU tools = Operating System
3) *BSD = Operating System
4) Polish comes from companies like Red Hat, Mandrake, SUSE and the community like Debian.
5) *BSD’s out of the box are CLI’s. You have to set up X manually. There are no auto configuration tools. Like VI?
Disclaimer: I am a *bsd/linux user, I still prefer *bsd’s.
checkout this one: wine and compat linux in action on NetBSD
http://drewke.net/screenshots/snapshot1.png
“Because only an idiot (who shouldn’t be a sysadmin in the first place) gives access to someone they don’t entirely trust.”
You prefer no sysadmins at universities, companies? Sysadmins aren’t always the persons who decide themselves who gets access and who doesn’t. They could just as well just executing an order from people higher in the hier(8). Imagine yourself a new employee or new student at university/company X. This person was trusted when he signed up to study/work here. He/she gets an account on the network . Because the sysadmin believes local vulnerabilities are unimportant, he/she accuired root access on one of the systems which escalated to <fill in something here according to your imagination>. Did the sysadmin have a vote in the assignment of this new person to the company? Highly doubtable. You know where he/she (and his/her colleages) did had influence on…
I have installed openbsd a number of times, and can attest to the ease of ftp install. It is all very straightforward, if you RTM. I have found installing freebsd to be a more polished experience. I cannot comment on netbsd, never tried it. As a previous post mentioned, one thing I appreciated was the extremely well-structured, well-integrated nature of bsd, compared to linux. However, linux does rule when it comes to hardware support. In fact, that is the reason I had to reluctantly delete freebsd from my mini-itx project comp and install slackware: freebsd didn’t like the on-board rhine network adapter. My main gripe with the bsd’s (other than hardware support) is that the default shell sucks. Sure, it’s easy enough to change to another shell, but that’s my gripe.
It’s so painfully obvious that all you lame script kiddies are jealous of Theo because he actually contribute something whortwhile to the world of computing, something you will never, ever do. Hurts your egos pretty hard, doesnt it. Just go back to your l4me..err l337 irc channels and leave us people with a brain alone.
Openbsd got their audits + special features, but in real life i don’t think netbsd is breaked any more than openbsd is, and the swedish defence decided to go with freebsd for their firewall “färist” after doing both pen-test and code audition.
So the “omg i’m so secure”-speak is more or less hype only.
FreeBSD runs just fine on my VIA Eden 600 MHz thingy. Had no problems with the rhine driver. Also got the VIA linux binary X driver (hacked Matt Dillon) to work using linux compatability. However there is no need for that hack any more; just mentioned it becaus I think it’s a little bit cool.
😛
I wish I’d known about that before . . . oh, well. I was pretty anxious to get a functional system going asap, so I didn’t spend too much time on it. Slack is fine for now, esp. since I started using swaret. I think freebsd was @ like 5 or 5.1 back when I was trying it. Maybe I’ll try it on the via again after I get ppc gentoo on a blue & white g3 I acquired . . .