Linux & Open Source - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Linux & Open Source


OpenBSD 3.2 Is Back on Track



 By: Timothy Dyck
2002-11-04
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Linux & Open Source story.


  Table of Contents:
  1. OpenBSD 3.2 Is Back on Track
  2. ' Executive Summary'

Rate This Article:
Poor Best
OpenBSD 3.2 Is Back on Track
( Page 1 of 2 )

An eWeek Labs Analyst's Choice, the security-focused operating system offers strong base of features, but upgrade path is difficult.

IT staff can make almost any software system secure with enough pain and wizardry, but getting great security with hardly any effort at all is true magic.

Thats the attraction of the Internets most secure operating system, OpenBSD. The latest release of OpenBSD, Version 3.2, started shipping Nov. 1.

Relative to its security history, OpenBSD had a bad summer: The default installation of OpenSSH (Open Secure Shell) in OpenBSD 3.1 was found to have a remotely exploitable hole. However, this new release (which, of course, includes the fixed OpenSSH 3.5) again shows how the OpenBSD development team leads the market in terms of security.

We get a lot of public relations from software vendors (and were not just talking about Microsoft Corp.) on how various new security efforts will turn things around for them. Fine and good, but time, and nothing else, is the true judge of success. The only evidence of a security turnaround that counts is a drop in the number of remote holes discovered in the code.

OpenBSDs track record—one remote hole in the default install in nearly six years of market exposure—is so far ahead of everyone elses that it stands alone.

Resource Library:

OpenBSD does have some significant problems, including a general lack of ISV and hardware vendor backing and the short period of time (one year) that the OpenBSD development team officially supports each release of OpenBSD. In addition, the operating systems update mechanisms can be quite disruptive. Nevertheless, the development teams approach to security is so effective (and, sadly, so rare) that eWeek Labs is honoring OpenBSD 3.2 with an Analysts Choice award.

It literally is our choice when the stakes are high: We are using seven different OpenBSD 3.2-based servers as part of the site infrastructure for eWeeks latest OpenHack security test. There is nothing better out there to get a security-sensitive system up and running. This is particularly true for those deploying firewalls and routers—OpenBSDs built-in packet filter, called pf, provides powerful traffic blocking, port forwarding and network address translation features.

OpenBSD 3.2 can be downloaded for free, or bootable CDs can be ordered at www.openbsd.org for $40. It runs on several different families of CPUs, but it doesnt support SMP (symmetric multiprocessing). This is a major factor that keeps it out of the higher-end server space—while it can run on SMP machines, it will use only the first CPU.

Although OpenBSD isnt an operating system that many ISVs make a point of supporting, the CD contains a fairly large set of prepackaged open-source server applications that are pre-compiled and ready to install.

OpenBSD installs incredibly quickly—we could go from a blank drive to a functional yet secure Web server or domain name server in 10 minutes flat. The system also has a highly centralized configuration, providing a single place to turn included server packages on or off.

In addition to making it simple to understand whats running and what isnt, OpenBSD has a security policy ingenious in its simplicity: Leave as many features as possible either disabled or uninstalled by default. Why this obvious and simple security best practice isnt more widely adopted is a mystery to us. (The Linux vendors hands are black with guilt in comparison.)

OpenBSD 3.2 also takes greater advantage of the memory protection features built into modern CPUs to block buffer overflow attacks. It now sets program stack memory to be nonexecutable, and on SPARC and Alpha CPUs it also sets program data to be nonexecutable.

The development team has continued to do its intensive code auditing and has been able to significantly reduce the number of executables that have the setuid bit set, effectively reducing the number of programs that need to be run with root privileges to work.

"The impact of many security holes has been significantly reduced. We had 40 exposed setuid programs in 3.1; we now have about nine," said OpenBSD Project Manager Theo de Raadt, in Calgary, Alberta. "Thirty-one of those 40 are not setuid any more, or the setuid is at a trivial level."

Its this kind of attention to detail, this systematic addressing of even minor security risks, that sets OpenBSD apart.

However, despite all this attention to detail, one thing that OpenBSD really lacks is an easy way to maintain the great security that you get from a fresh install. The operating system has no software update tools, other than downloading another cut of the code and re-compiling the kernel and user programs. This can take 12 hours or more and is extremely disruptive to the system.

Unfortunately, this wont change any time soon. "We dont have the manpower to take care of that. Were going to keep doing things the way we are now," said de Raadt, who emphasized the importance of refreshing the whole system every six months or so, something thats tricky to do even with patching tools.

"We may start making stable snapshots. We would put it out two months after the release and continue for six months. ... I think anyone that considers the stable branch to have all the fixes after six months is crazy," de Raadt said.

OpenBSD isnt a do-it-all Unix such as Linux or Solaris, but it is a great tool for those edge-of-the-network spots where things have to be done right the first time.

West Coast Technical Director Timothy Dyck is at timothy_dyck@ziffdavis.com.





  Reader Comments: OpenBSD 3.2 Is Back on Track
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Linux & Open Source Articles          >>> More By Timothy Dyck
 


x}v㶲s{̎Sj^-c[n33K 1ErmuN~b^Κo*fɗNvҶDBP( o^ȹL{D.Ԣ$;q=3齟%TymZFUdHԫe 1en軫w2Gv-cP;^ ׫y(yVშ bH%cjAM5'#{F-+}D}q^nduLbh דb^P+$ȁ_EkJDqu)pC(DsXJՇHaD<ȴ'Ç^b&0#ǎ[}+Cp_C!G-b90}go9-rtH`Uƞfn=! A-a9p<^- #J3rr :I!4G v`4EO5H;@XS*HVfĴ3uk-3@ؾ.&d =D?ǭS I] oZL<뇟Xc`cy['2Vk|uv9S{pH;wE-b6rۄ@ظtLaHj8v=:eCY3ͰL6g@6۪ZEQrt;}޴νoĩqs3ywkԚ7?9WJ)Euv!􏂺-ݾWж켮kyu|Oy~Vo8 - :V7Rߘ 0Q&*R>_$|ajm@t4[BN,:@FI7j|%rP8kV Kj$Y̮gVҐ gUUYZͣlni^vW׭NtgG׭)7f٘Y ji%dPY2 LU5M}!kr:nv>9SI`BmiueUo~vO|wQ&sچa#U*IͼCf}t$޺pt:&IoDz|=!u/ !]O}nr2C2Io$w$ A5 tAJ31 NE [@];L}$ԃ6kiL 9B:%yW7.hr Ae)#8?c݃IhJq䰉3ذ 1"%w5/%,)|U>hI"A[8 .*J!"xN3t A.r)#t`o8{ØWXќy< K.ν!fyќ(/Ӆ]Wf޼G=-(<O \/;mtt0*>c]g9",QqsuTStʥt =Jj*JGf[Ԗ-Pò˔t}x7 &= aO>q|BtR붝x>:AG:ڴb{\gfc4!.iGhgX0= cOv/\1>< ZF;=H:}mP`9$GʦOM&@B9{ǻޚ~(w z7/u,/O`\@Z9`$8ʼ } ¢81OpMrA=9;ݴiǀxt05(.KϷ2R}c9>(G)+@]HPw9J B!L0H V0(VF􎄰b!ilbq sgbX@;7 =*%nqR%a 934YIjL=?l1!UGlr`Y \h+|i)lb Ԩ6؛RմR>UiқMÄ% {i]y5 XLcF3pEq<9`Gs4h? G:uG  VV̚S=S.ƃ5Œ;j<Ĵa861 0|CheBC`9N{c1du׵L:ȑ:L:%qK-0s k2'yv=&.У\8$/4<3_O#k[}M"߄T VsA|5 i!׬L q^i.:[@ſΖUkͲG/ 7bq_[ֹP}o@x} 1+_w jQt(*АT um:_2,# %΢?0Z;Hpcʻ؈a=50_ܰ퀡S*+ǀ#SV)jV^Ϛe+ L 4 ` *3[0P&m^MVޱu<| }r368 6*l|0ː ;v'JkX"lM M=t%\42.|O V,'0{3gбfa|aa9m. eCKz2^7!lLsCm0 "}Ӛ"{Owm)WB~*KE%1gIҏ5 &^PGe d^3`M[`R9CDzAٌ34\}Zj\489VSo>e< ġMD|IaT90l]+k j#Xe[;pMb8~ >BS-c&ND[M3$!OT^' yE)%x>5 d1G$o+:#PE~"yj s!T90|"*2VD07pl)5tl*FuIM8`MoaRI`HL!2BSݧ=1g匬L7 { d+|S{ZIUjA-8Y+0yOoSO@H.5=g8ޗ89w쾻&F/OAPz6gn-!Wש%XTe10+fW#S@)wHF(`0]( h3sT͜Z/YQSlfca "9&7>jVj8v7dݤ/Hɘ-qV}Y=w7䊢-?݀ޭlF'FA\=>< `QtEa*NiLHYT9BRkEBZG ?cqe@xgص`L )Ĩ5U)T*~eM['5^,?mhDQXi^{p ';pLjg y+즬h+sJbOW2ED3yxjC鳨OiD?Y`b&T~\yRglg^a+oU20Ow}Xc7o*\$t+nN]WU[>s1ѻMclsKq3`9"象mBt@+'&GlE;8J6Xjl=["c3۝>"s0Ϲ$L3 㦧RTJ< V_A3Fˁ㚆/SOv8^֧UU{MyR̚,(@jm>a,0r`W.qLspIE.2I*"Ee|8NY HXLʅR_ kRQKU#g0k(Gܑ(~ (zC9km5;n>s'_U]xT'7 F|/E%~ͳ!퓼Fpihe~6Kfb;߯ͥZ57e XsB5x)afK%2_vܖ[J,]A.a u0 ]6%Q;o\ #Ԛf$s,2.q:-efF*} UT :"iJ^R+ϢpӁ9tOFl~"r tDġd:iԣo{\Whg?"XwSwgA#Sj$NRimX.e$D.kS@ ʃZ'GYdA|a+R&ɠK= j\h?Cp3{ ,(WI0R c@JA=o8iu#i%LB( 1t}ES)Q\(OYI}Lg G(_(o0[HӷoHW蘧YD_q-sz4~& \2Z9ntH1?x>ou&Lz4/3 Í7G jE5p!#N MukNEm1Obt#1%N!{7l'iliQ%uyjs:)!OOp|N(k+'I^VR6T$4%!44QLNbC]B+C7g ҹj\nNpVHpo6_xvImKdMã ,-Y+4$/i\A1t[Ǎp",G7b%%h8W*Brc'xr'|xj}yUYN=r;GNՃĶ '-=tc$vd:Gw*b),_khrrӅ[ejg{t?Gdc: M"INU.UdU)IYDG㳑)G8{tH_7/lǵ4/ Zc \,0eRKQCX#Y6wmT6;"NGv@'7+Z6}gO~UD>Jԧӆeq".Ǔ 1Ty@zNafc[Gt}L;p_Sx {l7yTzߜafgN+<lOu7p\?[߸+E 8te7п$PR5EK>&:qHI}1tN|rLdO{Ty="N4vR2f; /O>1,q-p cEهҽ89Nbrs™㇉"s`tuta_ǔ20u[uMh4qn漆Ѧ ) +M];ObQ(U(|S,*/f_,BgL$JJ^I?xE ^\Rb Dz'3w80})*yXHY<ɚpTd! 9_0yRkT$B A(CB0(Kn[uM")I)o<5NuYZK[y CZaxkO—b;mMG>W}uٶ_tK/? ]AK=_ҽQusSǘRt($a IE$ W7_=$t~7)GQAHw/ِ0/]|"ÔJM?YflrArX{.2))a!"c|׷r*Jye+ r2 Ǫ8XF֋ XXXXU}zyW64>8c$Ki&|T\i\S\wHpg> 6z>I_= ([t0ڗ1_ /jC>}1?rƗ.fRk@uI-q5{*'3[>{ &,H} 'sjHmLL%MQtE=v!JR'[;IcX*+Ɠ7pHx [  [APa $jq1o+YD S%lȉ/lst:,vpCA5 }%ܱaQ/<ڐ/c%}ny3= N-}mۅ1tcฏ[ x$G<bxA͙OJɯnYךb8\_1f;\Y ]ڙ`ciRA-<6pp\ px SpB1p_55f P Yg>ʾwWuN*uhi'&)T^%UF[3KDM:Zߤ*7ޛo~s}s}s}s}厼|I+nG^3|Sr<E'f>$x_N|==zCH_xa zYߨVm#O;:i޼ҙHx O3  Dz,@@kg^ i/d"Fdl|i\(BDzbf V|c_ؠQtݫ?^K. m\ͅZ M$mwGtnM]jǓ#YbWbpY@@$Q  I&0F LpL /KF L~i'^$NeG:sO{m Qʫ9 !@Bq`,F Olۛi- -&YC`K3'P4һH\ޛ_ǵigZ,#im٘/n .e?Ra7+LU^w^8IZO k\$E(td3a $%?\W=r9њ+&[_rDR|k ƿh4Gons]+ӹnz!TVd nT:k3"}m٫b+@M\ 6->,OċM{Ow]@VE[mYΣ.$[W2H.KFqblC?>`lNJf4C2CbE$t86+℉ffi"%S&H4pEzXȓsu:z ~vϳYb&>&9`W:?3_/⥽^FxaGie^ e+It'V^4bd= Tכ7OQ5IVH,u c"67 a} ?~Ge3 ű߳9x\;Wʾ`܀*ZWq%]ZPh3| ךD3* I8}nX};iwWjW= b* n'٫YsqYfSxc f0}QCpooc-ĵd?cNtޜvPn'#&\ߤ}>y|`'㷈DCঀ 9~?*n H >vxr7HpPR]kJ9-0 )b~[ 1W&^qw᫉P:8!#9pްBXD?ۉ.!4pZ4qN䀲e|+A#샒=%hA ,q'Ds.? CuXYRSw-Zo[+U#rd! `,%o,"yxa rC/?quQ5Ie3)6̴ ۜsj41y!^r c%5,S++rE<=G!:{uZxeL<^^AFsc3 i"r\I{ G]#DWtHU1 & LLGZj>At3#mz^C GJk&pVy k+mLx[U8Ow| 􄼥޼v{O%YձHޚ-ݾ]yrjyrZE8a X:H\ӌA~@klM/5 ?)3$Y]Z 0Mr}&U"cM*r ~Z^)Rw(`$.ȑՊJAܣF +{p?B5r#O<`,TO8粈{=ב:ۮ煸#=/BRJ{֌Ra):dIK0 LtxZڊ|Lk?H~K12}@ eˡW}h+1q%˿eJd4?s*0K{QF^^A94Yvdj :q^aci*qwM[,{=<%&hPjߙcۨ/:OyZ~1R3YqlΉ04%nc 趩ep::Iǥ4 ?R)!7~m+sY h#nO5 RRrMu&pt\˧bDK )n2BSmsO1h>`HfLW<00t#PXgզٝ$7{gFX t/^\}|A(ٽjb+Y!kb^xҞC+qܔ.tb,@+> #> :{n^/UG"?{|/Qd>pOґ!WU= wz2̥7d?= nM8=iǃ"Ba,b+pD['鍀C{hb#3FJP0\G&~hesv !Ϝ)k`"֌-3>(4G=Gq 'lI<R+0wAs-=g2Vh czS@}u|1[GB(9Ĝ#MX֨5o~(Jԭ5'Ч枩S-0Șh MQ ҖHxDnr}ttf$!"fma@O߸H !Ř!&"mXS6#&| Q(x|m]VP>n]11F~ŷN(lC;b21C\.GӔ$N0X/)T&}fA=bA!>?$~?IL)!H0ZAmjᱱ X`,2E<ezX<>qA~2?5:V5Kq:rtT++ʾ|{}a > ce[7ΥiHDRx|L ]ǒ 4B1h 2IA20=ce|?ݱi2%( p {@Ka1c~Pob$4+ >)y>gٕa)XUʗFy| ^fI+U pӄ^I+L^ / PHZ  WuGISkw۷hh\]"k &|8_%9jo|pK4>VO>>.W׭.ƣ|j5<ח6/*v(P^6.NRʉ7rm.4 "G}Y| wDE Ecq~^ ̝۳'Q?B)Qe3 \CĨҫS121IS89nv:zjŵ6V#g5^L7%`yS t]uiC-S܄@1@C|i7}Cx_m;)^SʯW7SkP^S]]~48i)?@5y_PauY+S?k.odꭓ5_k ~i])[kYS ?.?klWX3>5}/s>5XßkerM/?B5gP~_P5P~r^\K5koi?m/5 j \Wk޿^?gM;Κwk+ׇ5?+}\ӿ@kw7ʁo ࿛5$i<5rָ…)њb~_%/<+%(_J Xikث5t.3_묑S[[?'u CFWT}^S_xڜ覵p-]k}:c|e$2/&k W4<< X!rnmi҇sd^ WsU}Ӊ0TbMdGE<m} t=}}ZxeכQǒGЬn#=D>{剹?|Kaxwq0'A7'n"gB8#W@jeְ<.1Kx @oz(_ M+4{t؉vF3O ؑɸӾT*hZA-oT.Kw;?5&}"BQ]FTMVYI0ZI9(PPफ़h[vRjo-ǡ'N!3pC>&J5F!D`5~L@LDNz_m\RPսD&-\ŠMC猰Kva[F0 mc|𷁞 G254>MqkqB4wޠ z}y<8?6%cx-7:]AdKdp!gB[t!pPeD˪dB` ,jϗ=5[nb扵U$7OWy ɐpH-{wͻzU;x, #XC0 |ˉK;޼gnp1Q6`Z]e=oj`-K?Xv;i50ٚ($̸fxOf@L @qf|1h_uWf%Ar ( kDF(t#byܞ0۰zuO5wo&ܹ }Cpzusұ E.[vܙexXxR Hv2( pPOLj&g0xSz_Lr(pIdh/0Sܳ/DDlKڝ_1=}`&] p59|0Dᵅ9,|Ŷr.iaBc M= o9/sxrh`=E('ѵF|Y\+u`_GFb+&2 U\&\#4z"{aA k!׶ڭ+2]jQwh}tZWXSܲ{PPD«U/="2cX {ԟ1h_ EY/_.5(l$9=ASh4ϛ5; gCCJGrB帘c{[/AI)H[aD6vVVAg=Y,> V_$v{%B)π Խ!zo>7F7'cS9>&-^Πo'b_,n7eE&PLmi]ⷓK? /X)Ns'|omW|D,[k~9rCR@I`Q xa;C΃NNM~;Ǔ s0abV@d=)O?6'[nAG\+<>bipO1SpY ѫv.|x@loMn-:Q.+H|n4~Uf2{Lߟ5g(Q|@ӽ^^nTf/<+1 <&Y`ߟ2L\)?>pE&"QTD s)ۉYbd圙F&9~(@P 9BuzϷ;<v;s}K_2Ҷy>v/-GyJ:\@ 7tl)NgsJY> mEAة&%`y @ 4:W qS`-hq#ƫ1ucB\P0_Anc.v^e܄1UF.DmhT[_ !*l+cV /߱ pݼ3Qa[_<BP1M)?&Il}EXYK嗏k mr?v,r?s\,Cct²cv9bRrW`0MZkAcL5ȱ(`,$v"V7rsh;h[STHهl*&o Y,{kۺнTB6<_(E8yjSSQ2ī$YN^ !nfe_FOxn0j8/S&20{(n4S@>$pe|x}3vC کo /+H)4V%Ozav,}k5jF?p {?=]^#Uj,Z9I쿑cg]Ո} zWR`D}{jYH |cqFA{3$Nm;+,?}RߴeüC2Z~%]PJYS ?*KQPK }x>5ݸ1%wW :?;e`PXLVȚ-v2/ ߁@tz`l G YPoH,L8#یdQ,*hF#~Of7 Us򩚘 t e57!p ++Xެ=% BdұVK=\iB$lbELy( .&?HV!c:{ZY?[>PuShv[E<8G|=..7| G8qupen9\`FUU"(踂Rp pZNB E'uq@Z$5a%23nD`ؓHTN ĸY;|fFJpxjny0̍ƽ'9iuBkH"ڗosCr}]qF㪵lm,DB-il=%ɑu+y_HGQIθ"(Q˄#4g@/ޢdS&">'*#B]t5<xlL/$ք$:TɌ;jk;PjgY)s|VЫ,I2bHZPyTvUetޕpXDjFLfp8v8mLja.tDٕ-ǧ%Lc숡/LCE\09P <-X!b5pap/ٰMiWUY(9?ҍ$d|J6eQ}"' ]'Ҿ4 lSyzqaY"g;=H_=