BSD And Other Things

/bsd/ - *BSD General Thread
Discuss FreeBSD, OpenBSD, NetBSD, DragonFlyBSD, FreeNAS...

IRC -- #baot @ irc.rizon.net

News: dragonflydigest.com - undeadly.org - freebsdnews.com

BSDCan happening right now!

Other urls found in this thread:

openbsdjumpstart.org/
allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/
twitter.com/SFWRedditImages

No thanks.

Triggered GNU shitposter

>nobody uses it

pkgsrc > ports

>being this retarded

enjoy your 93s-like OS

Enjoy your bloated whalelike systemd-copy of Windows, shitposter.

Pic related. It's a Linux-chan cosplayer.

MS does.

Cry about it.

Randy herpes pls go

this is true

and its portable too

This, it's nice to know I've still got options when TigerBrew dies

Fuck it. I'm drunk and feeling adventureous. I'm gonna install FreeBSD on my laptop.

Check out PC-BSD.

Nah senpai. {Free,Open}BSD or bust. It does't seem to want to boot from USB though. Slightly worrying.

did you dd the .fs image?

I dd'ed the bootonly .iso from the releases page. I figured it was the equivalent of a net-install.

oh, if we're talking about openbsd then you need to dd install59.fs, not the iso

The fs image is specifically for flash drives, use that instead

Thanks, man. Gonna try that.

Easy is a very nebulous term, but I think BSD is probably the easiest OS to actually use.

GNU/Linux is "easy" in the sense that it's a dumbed-down consumer-oriented OS like Windows. So if you have a grandma who you don't want fucking anything up, you can give her Debian and stop worrying.

But the moment you actually have to do something of consequence with Linux, you invariably run into one of its abstractions upon abstractions that were put there by people who think they know better than you. Systemd is just the latest and most egregious example of this.

But BSD has remained truly accessible throughout its lifespan, focusing on providing one simple way to do any given task and improving that method rather than replacing it with something else every five years. It's kind of ironic to see GNU/systemd/Linux users claiming Unix heritage when their OS has more in common with Windows these days.

>>
What do you prefer, Free or Open BSD? Any reasons in particular? Thanks.

THATS WHY I COULDN'T BOOT?? UGHHHHH

spent all of yesterday with that other anons same issue, thanks man

read the FAQ next time lol

What is the ronk with NetBSD? It has Lua in-kernel, rump kernel, ZFS, and other goodies. And pkgsrc, which work'th everywhere, and which is love.

Other than these reasons, NetBSD is about the same as {Free,Open}BSD in terms of userland applications.

BSD makes the most sense because it is deeply steeped in, and actually follows the Unix philosophy. Linux is windows with a coat of paint and some Unixy window dressing. It's no more a Unix than a guy in a dress and heels is a hot chick.

What makes following deeply the Unix philosophy objectively a good thing to always do?

Give specifics, and not just a wishy-washy answer like "everything does one thing, and one thing well, thus everything is orthogonal".

simplicity and ease of use

I'm in the middle of learning OpenBSD myself senpaitachi, but one thing that keeps stumping me is searching and installing packages.

FreeBSD did away with pkg_* probably for a good reason. pkgng is hella easier to use.

pkg_locate just outputs spaghetti.

That's arguing from your own conclusions, and not specific details.

I can just as well take your logic and make up some bullshit like:

"Linux takes the best of the tried and true Unix philosophy of simplicity and ease-of-use, and combines it with modern sensibilities to create something really special. It combines the best of both worlds: it's foundation is the mighty oak of Unix philosophy, and its fruit are the modern touches which are the result of years of learning and refinement."

That's basically the same shit as you just said. Try again.

what do you want to do? search for a package on ftp mirrors? what you want is probably pkg_info -Q

Yes, pkg-ng is fucking LOVE.

As for OpenBSD: man pkg.conf. And take a look at /etc/examples/pkg.conf and copy it into /etc/pkg.conf. Add the appropriate mirror.

You can also just use the PKG_PATH environment variable, but it's more convenient to just edit that so that you won't have to mess with vars when running 'doas' (OpenBSD's equivalent of sudo).

Also see: openbsdjumpstart.org/

Unix philosophy is just a meme like KISS, you can literally say any software is too complex and use it as a troll argument.

Problem is when people actually believe that argument, pic related, trolled to death by BSD users.

Holy shit! I must have read through the man pages a dozen times, glossing over the -Q switch... I can't believe I've missed it! Thank you!

A quick Q doe myself. Is the default httpd, apache? or something else entirely? Man pages mention it's something similar to relayd but also seem to suggest that it is http server.

>Not just syncing a tree of each packages build script with local search.
>Not using portage.

the http server is openbsd's very own

it's partly based on relayd which is why it may seem similar at first glance

opensmtpd is also pretty good but don't think it managed to prove itself yet

Same user here.

For what it is worth, I'm a huge *BSD fan, and do like Unix' style of "one tool, one job". But fuck me, I am so sick of people just saying that shit is "elegant and simple" and never saying why.

I'll just say that I like it because it's what I'm used to, and it's fun pipelining random shit into other random shit in weird ways. But it definitely has its flaws, because a text-based pipeline can be a mess to parse.

I really wish some of PowerShell's ideas (like the object-oriented pipeline and some of its syntax sugar, and easy access to the .NET library) could be implemented in some way for Linux/BSD tools.

OpenBSD's httpd is very nice, I have to admit. Sure it's really limited in what it can do (some basic rools, basic CGI only), but its syntax is pretty intuitive and really quick to learn.

I fucking love the OpenBSD folk for how simple they make their shit. To me, that is fucking huge, because I'm sick of dealing with programs that have insane defaults, shitty documentation, and cryptic everything.

yeah what's really nice about most homegrown openbsd programs is that their configuration files all share a simple, similar syntax

httpd, opensmtpd, doas, pf, it's all similar

Remember trying to setup my own mail-server with smtpd and postfix under debian(?) I think it was. Problem is I have a feeling ISP is blocking port 25 so no mail for me (probably unless I want to pay business class.)

Might have to give it a shot, been meaning to replace a web-server that runs nginx on the front-end and Apache on the backend. Might just see if OpenBSD's httpd can suffice the Apache requirement since it's already installed from the get-go.

Thanks for the slides, nice information presented in a very clean way!

It's not just familiarity, but sanity.

I can usually get a new OpenBSD config file's syntax down in a few minutes, and the rest are just details I'll remember after enough time. For other software, let's just say... not as much (*cough* PAM *cough*).

Yeah I really should, I rushed off to do an install only to learn my wireless drivers aren't distributed with it

i will never learn this lesson

Silly user, I've been using Gentoo-Hardened for a while now. Just wanted to learn BSD as well.
Sometimes hardware sucks for compiling on source you know!

>ISP blockin' your shiz

Could just be that you need to setup an SMTP/MX relay with your ISP. My ISP has one, and I have to configure my mail daemon thingy to use it before mailing works.

Why not just do a portscan of your public IP address and see if port 25 gets through?

Thas what I did. Double-checked firewall and local installs firewall for sanity to make sure it was open there. No dice. That's what lead me to believe that it was on the ISP side.

Got Cuckcast for the record.

Oh hey, another Sup Forumsentooman.

I used to use Gentoo with grsec back in the day as well, for a few years. These days I've moved on to FreeBSD and OpenBSD.

Has Portage changed much in the years I've been away, and has the Gentoo project as a whole started to have any direction or leadership yet?

tfw I want to use BSD, but the AMD card I have has neither open-source nor closed source GPU drivers. It sucks that the best option is NVIDIA who are cunts. Free and openbsd are so comfy, I still don't quite know why, but they feel really nice to use compared to the linuxes.

i think you got that backwards

it is nvidia that has no drivers

Nope. Proprietary NVIDIA graphics drivers are pretty up to date and good, at least for FreeBSD. AMD shit lags so far behind, my R9 290 (a two year old card) still doesn't have shit available for it.

Don't bother with *BSD if you want or need fancy graphics. I don't think they'll ever really get where they need to be because the graphics vendors all greedily peddle their proprietary shit. And even then, their Linux binaries don't really work very well.

Cozy it up when you want either a server, or a very basic-graphics workstation.

Depends on the OS. You're correct for OpenBSD but FreeBSD does have Nvidia drivers.

oh yeah, you're right then, my bad

i'd say you'll probably get support for the R9 in 2-3 years, unfortunately

Note that OpenBSD doesn't support hardware acceleration on AMD GCN CPUs. I got hit with this and had to downgrade.

If I remember right, Gentoo is doing the Funtoo thing and moving to a git portage tree. As for direction/leadership I haven't been aware as much. I know semi-recently they got a nice site change too. Documentation is rather samey though.

I actually have been rather liking *BSD. NetBSD runs rather well on my Pi. OpenBSD seems p-awesome and FreeBSD is pretty much the general all rounder that got me into learning all this. Gentoo is almost the Linux equivalent in my eyes, but as I mentioned. Sometimes the hardware just sucks for compiling from source. Ports and pkg-ng at least give the portage feel without necessarily needing to compile. Which is nice.

Separation of the Base system and installed applications is a god-send as well.

I just need video playback and an xorg without awful tearing or artifacts.

But that's what I've been doing, when I need a server, I get to run with BSD.

Ooh, how does NetBSD work on your Pi? Does it have any good GPIO libraries yet for Python on Ruby?

Last I checked, every GPIO lib I've seen has just been a shitty wrapper that depends on the Linux-exclusive /sys filesystem.

Unfortunately haven't done any GPIO projects on it yet, hopefully will soon though. Would suck if I have to use said shitty wrappers, but I'd rather use BSD than Linux at this point. So hopefully there is a good library out!

I agree. That object-based pipeline model is extremely nice. It's a pity the rest of powershell is such a steaming pile.

What's bad about the rest of PowerShell? Do you mean shit like:

rm -f $file on Lunix

vs

rm -ErrorAction SilentlyContinue on Winderp?

>portage
>on openbsd

well i use pkgsrc on macos. thats even worse

That simplicity is what made me love the OS. The devs are their own target audience though. They are developing the OS that they want to use, and that's why it's the way it is. They aren't trying to please anyone but themselves.

Fuck this OS

*this OS family

And if you don't like it, don't use it. No need to shit up the thread

PC-BCD blows, get FreeBSD, OpenBSD, HardenedBSD, or don't bother

How does it blow? It's the easiest one to set up and it just works.

its clunky as fuck

What did he mean by this

why cant openbsd handle receiving a ping over 1 megabyte?

pcbsd is slow. ive used it with a box with 4gb ram... slow as fuck. its slow. oh, and you simply cant pull out usb sticks without unmounting them first. it will crash your computer.

OpenBSD is widely touted as being ‘secure by default’, something often mentioned by OpenBSD advocates as an example of the security focused approach the OpenBSD project takes. Secure by default refers to the fact that the base system has been audited and considered to be free of vulnerabilities, and that only the minimal services are running by default. This approach has worked well; indeed, leading to ‘Only two remote holes in the default install, in a heck of a long time!’. This is a common sense approach, and a secure default configuration should be expected of all operating systems upon an initial install.

An argument often made by proponents of OpenBSD is the extensive code auditing performed on the base system to make sure no vulnerabilities are present. The goal is to produce quality code as most vulnerabilities are caused by errors in the source code. This a noble approach, and it has worked well for the OpenBSD project, with the base system having considerably less vulnerabilities than many other operating systems.

Used as an indicator to gauge the security of OpenBSD however, it is worthless. The reason being is that as soon as a service is enabled or software from the ports tree installed, it is no longer the default install and the possibility of introduced vulnerabilities is equal to any other platform. Much like software certified against the common criteria, as soon as an external variable is introduced the certification, or in this case the claim can no longer be considered relevant.

It is important to note also that only the base system is audited. The OpenBSD ports tree is not audited, and much of the software available in the ports tree is several releases behind current versions, meaning that there is a strong possibility that software will be obtained from outside of the ports tree. Given that a default install of OpenBSD has all network services are disabled by default, it is very likely that software will be installed or a service enabled if the server is going to be used to actually provide any kind of service.

Since the majority of attacks are not against the base system but against software operating at a higher level actively listening over the network, it is likely that if an OpenBSD machine were attacked, it would be through such software. This is where OpenBSD falls down, as it provides no means to protect from damage in the event of a successful attack.

Providing a default secure configuration is an important practice, and one that is employed by the majority of operating systems these days. OpenBSD followed this practice in the early part of the last decade when most other operating systems did not bother, and for that the OpenBSD team should be praised. While it is a good practice it is specious at best to take this as a measure of the actual security OpenBSD provides.

It should also be noted that the OpenBSD team uses a different definition of security vulnerability, limited to vulnerabilities that are allow for remote arbitrary code to execute. While most people may consider a DOS attack or local privilege escalation problems to be vulnerabilities, the OpenBSD team disagrees. If we use a more generally accepted definition of security vulnerability, OpenBSD suddenly has a far greater number than two remote holes in the default install a heck of a long time.

Instead of working and testing to see the extent of the damage that could be caused by a particular vulnerability, they prefer to dismiss and assume arbitrary code execution is impossible until pushed by Core releasing proof of concept code to show otherwise. This is similar to behavior observed by many corporations. Unfortunately this seems to be typical behavior rather than an exception going by the various mailing list threads when a vulnerability is reported.

OpenBSD was never designed with security in mind. OpenBSD was started when Theo de Raadt left the NetBSD project, with the goal of providing complete access to the source repositories. The focus on security came at a later stage, along with the “secure by default” slogan. As noted above, a secure operating system is not synonymous with a lack of vulnerabilities, and certainly not with a lack of vulnerabilities limited to the base install. This should be contrasted with the various extended access control frameworks, which despite being patches to an existing project, were designed from the ground up with a focus on security.

OpenBSD by itself contains a feature set similar in comparison to the GRSecurity patch for Linux without the ACL or RBAC implementation. GRSecurity and the Openwall project actually pioneered many of the protections that occurred later in OpenBSD such as Executable Space Protection, chroot restrictions, PID randomization and attempts to prevent race conditions. OpenBSD is often credited with pioneering many advances in security when this is not the case. OpenBSD tends to add protections much later, and only when absolutely necessary as they continue to erroneously believe that eliminating vulnerabilities in the base system is sufficient.

It is also odd that for a project that claims to be focused on security, sendmail is still their MTA of choice and BIND is still their DNS server of choice. Sendmail and BIND are old, and they both have atrocious security records. To look through OpenBSD’s security history, many of the vulnerabilities can be attributed to BIND or Sendmail. Why would anyone choose these programs for a security focused operating system, when far more secure alternatives designed from the ground up to be secure are available? Examples might include Exim or Postfix and MaraDNS or NSD.

It is interesting to compare OpenBSD to its cousin, FreeBSD. While FreeBSD does not claim to have a focus on security, it is in fact a far more secure operating system than OpenBSD due to its implementation of the TrustedBSD projects work. FreeBSD implements proper access control lists event auditing, extended file system attributes, fine-grained capabilities and mandatory access controls which allow for a system to be completely locked down and access controlled as necessary to protect against users or break in attempts.

Despite the TrustedBSD codebase being open and available for OpenBSD to implement or improve, they reject it simply because they consider it to be too complex and unnecessary. Even if the OpenBSD team did not want to implement extended access controls they could implement proper auditing through the OpenBSD project, which they still reject as unnecessary.
It is no wonder then that when governments or organizations look for a secure operating system, they look to systems that have proper access control lists and auditing, something OpenBSD is not concerned about. A good example of this is China choosing FreeBSD as the base of their secure operating system, as OpenBSD was considered insufficient to meet the criteria.

The library calls strlcpy and strlcat should also be mentioned here. These library calls were developed by Todd Miller and Theo de Raadt as a way to eliminate buffer overflows by ensuring strings are always null terminated. However this approach is controversial, and can actually result in further problems and security vulnerabilities than they solve. While they may have their place, they should certainly not be relied on, and doing so shows a poor understanding of computer security.

This is the main problem with OpenBSD, and what prevents it from being able to be considered a secure system. No matter how quality the codebase or how free of vulnerabilities, there is no sufficient way to restrict access other than with standard UNIX permissions. OpenBSD team leader Theo de Raadt has openly stated that he is against anything more powerful such as MAC being implemented which is a shame. There is no good reason to avoid implementing extended access controls when the greater security and control they provide is irrefutable.

OpenBSD does offer some basic protections to protect a running system, namely the chroot functionality, chflags and securelevels. The chroot implementation is a secure version much improved over the standard UNIX chroot, but still far lacking when compared to a proper jail implementation such as that provided by FreeBSD. The consensus among OpenBSD developers and community is that you can achieve the same result using chroot and systrace. Which means they rely on a third party tool to implement a secure design that is present by default in FreeBSD, NetBSD and numerous other unices.

Securelevels are an interesting concepts and they do help with security somewhat. Securelevels can only be increased not decreased on a running system. The higher levels prevent writing to /dev/mem and /dev/kmem, removing file immutable flags, loading kernel modules and changing pf rules. These all help to restrict what an attacker can do, but do absolutely nothing to prevent reading or changing database records, obtaining user info, running malicious programs etc. These protections do absolutely nothing to stop information leakage. Making files immutable or appendable only is a poor option when contrasted with the ability to prevent reading and writing/appending to only specific users or processes.

The OpenBSD project and community had access to a tool for policy enforcement named systrace. Systrace is a third party tool developed by Niels Provos, and has never been embraced by the OpenBSD team. Systrace lacks the versatility of a proper MAC implementation, and had similar weaknesses to AppArmor since it relies on pathnames for enforcement. Systrace is a form of system call interposition, which has been shown to be insecure.

The only software even close to a MAC implementation is rejected by the OpenBSD team, and is insecure. Despite this, systrace is still maintained and offered/recommended by the community as the preferred way to sandbox and restrict applications. Given this obvious deficit, it would seem even more prudent for OpenBSD to make use of the TrustedBSD project.

This is the main reason why OpenBSD is unable to offer a secure environment in the event an attacker is successful. Instead of implementing a form of extended access controls and ensuring the system is secure even in the event of a successful attack, they prefer to remove as many vulnerabilities as possible. This approach is naïve at best and arrogant at worst.

>tfw no powertop for OpenBSD

Thanks for all those posts. I was under the impression that openBSD focused on being very secure under their default install, but offered little to no means of proactive security in case shit hits the fan and you clarified everything for me.

That said almost no one uses a MAC on Linux desktops or have even Grsecurity/PaX.
OpenBSD is far more secure then Linux by default, unless you are a sysadmin and use SELinux/AppArmor but most people don't even know that stuff.
Hence the slogan secure by default.

The main argument against OpenBSD is that it provides very limited access controls. OpenBSD attempts to remove the source of vulnerabilities by producing quality code, and has such faith in this approach that very little is provided to deal with a situation when a machine is exploited, and root access obtained. Perhaps inevitably. It is this lack of access controls and protection mechanisms that prevent OpenBSD from being the secure system it is often credited as being.

It is also the reason the aforementioned frameworks such as SELinux and RSBAC have an inherent security advantage over any OpenBSD machine. Due to the use of some sort of MAC, RBAC, TE or other advanced access control used by these frameworks, a level of control is possible above that in traditional DAC systems. With a traditional DAC system, the user has complete ownership over their files and processes, and the ability to change permissions at their discretion. This leads to many security concerns, and is the reason most attacks can be successful at all.

When a computer is hacked regardless of if it is due to a drive by download targeting an insecure browser on a user’s computer or a targeted attack exploiting a server process, the malicious process or user will inherit the access of the browser or process that was attacked. The prevalence of the DAC architecture throughout most operating systems is still the primary cause of many security issues today. With many server processes still running as a privileged user this is a large concern.

It is also something that is hard to fix without changing to a different design paradigm. Many of the technologies that were developed to help prevent attacks such as privilege separation; executable space protection and process ID randomization help, but are not sufficient for a majority of cases. This is why the need for an extended access control framework is present. With the use of something like SELinux or RSBAC, the significance of individual user accounts or processes as an attack vector is decreased.

With these systems every single aspect of your system can be controlled to a fine grained level. Every file, directory, device, process, user, network connection etc can be controlled independently allowing for extremely fine grained policies to be defined. This is something that simply is not possible with current DAC systems which include OpenBSD .

As an example of what is possible with extended access controls, it a web server process running as root could be set to only have append access(as opposed to general write access available in a DAC system) to specific files in a specific directory, and to only have read access to specific files in a specific directory. If some files need to execute, then that file itself (or the interpreter if a script) can be restricted in a similar way. This alone would prevent web site defacement and arbitrary code execution in a great many cases.

On present systems using DAC if a targeted attack is successful and access to the root account is gained, there is nothing the attacker cannot do. Run their own malicious executables, alter files etc. This is why OpenBSD is necessarily less secure than any system making use of advanced access control frameworks, and also why OpenBSD is not a secure system. While OpenBSD has many innovative technologies that make it harder for an attacker to gain access, it does not provide any way to sufficiently protect a system from an attacker who has gained access.

It is possible for example to restrict something like perl or python with extended access controls. On OpenBSD if a user or an attacker has access to perl or python, then they can run whichever scripts they like. With extended access controls, it is possible to restrict only certain scripts to have access to an interpreter (and additionally make those scripts immutable), and prevent the interpreter from running at all unless called by those specific scripts. There is no equivalent fine grained granularity on OpenBSD.

Another way in which extended access controls can help is to protect against users. Even on a desktop system there is a significant security advantage. At the moment most malware requires or tries to obtain root privileges to do damage or propagate. What most people don’t realize is that even malware running as a normal user can do significant damage as it has complete access to a users files under the current DAC model. With some form of MAC, if a user decided to demonstrate the dancing pigs problem and run an untrusted piece of malware, it could be restricted from having any access to a users files or being able to make network connections.

Even windows implements a form of MAC – Mandatory Integrity Controls. While not terribly powerful, and not used for much at the moment, it still provides increased protection and allows for more security than an OpenBSD box can provide. If even Microsoft can understand the need and significance of these technologies after their track record, why is OpenBSD the only project still vehemently rejecting this technology?

Nice pasties

Open bsd.
Airtight as a 2 dollar hooker.
Ok then.

who GNU/Hurd here?

The real BS(o)D

>this coming from lincuck
kek

goddamn you are one serious shitposter

No, the GNUposter is you.

>ensuring the system is secure even in the event of a successful attack
There are so many fucking privilege escalation attacks for Linux (because of the fucking huge attack surface of the bloated as fuck kernel) that it's fucking trivial to bypass any of your magic MAC powers.

Wow someone just pasted all this shit...

allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/

Get a life loser

Some autistic dumb fuck does it every time there's a BSD thread. All of the points in that bullshit "article" are outdated or just wrong.

Yeah senpai, that guy shitposted all over the net back in 2010.