Distributions [LWN.net]

News and Editorials

OpenBSD 3.5: a peek at another free Unix

May 5, 2004

This article was contributed by Ladislav Bodnar

After reading LWN's recent coverage of SELinux and its implementation in the development releases of Fedora Core 2, several readers expressed disappointment about the complexity associated with this new security model: "SELinux may give administrators extra flexibility, and add some extra 'layers' of protection for critical files, but security pros usually consider complexity to be the enemy of good security - and this system is nothing if not complex," wrote one reader. Still, with several attacks on high-profile Linux servers during 2003, many system administrators are evaluating various security solutions for their mission-critical servers and firewalls. Those of them who are prepared to look beyond Linux might find that OpenBSD is exactly what they need.

Initiated by Theo de Raadt back in 1996, OpenBSD's primary goal is to build a free and highly secure operating system. The developers pride themselves for a remarkable achievement of eight years with only a single remote hole in the default install. Although OpenBSD doesn't support nearly as many processor architectures as NetBSD, its original parent, the latest release of OpenBSD is available for 13 platforms, including Alpha, AMD64, PowerPC, SPARC, as well as i386. But despite fundamental technical differences between Linux and BSD, a system administrator familiar with Linux will find it relatively easy to administer an OpenBSD box, especially after reading the project's online manual (which includes a section about migrating from Linux to OpenBSD), or the superb Absolute OpenBSD by Michael W. Lucas.

How is security in OpenBSD better than in other UNIXes? Let's take a look at some of the more interesting features found this BSD flavor: file flags, securelevels and systrace.

File flags. File flags are an OpenBSD concept enhancing the traditional UNIX file system permissions. Once applied to a file, the flag will either prevent a user, including root, from removing or modifying the file in any way (the schg flag), or will only allow appending new lines to the file (the sappnd flag). A good example of the effectiveness of this concept is making the the entire /bin directory recursively immutable with the schg flag; once applied, it will be very hard for an attacker to place a trojan into the directory. On the other hand, the append-only sappnd flag is often used on log files to prevent potential intruders from covering their tracks. Besides system-level flags available to root only, similarly structured user-level flags allow users to set append-only or immutable flags on files they own.
Securelevels. The concept of file flags works in conjunction with OpenBSD's securelevels, of which there are four: -1, 0, 1 and 2. As soon as a file flag is set, it cannot be removed unless the system is in securelevel 0 or -1. To extend the example from the previous paragraph about making the /bin directory immutable, what happens if an executable file in the same directory needs to get a security patch, but the system is in securelevel 1 or 2? In this case, the system administrator will have to lower the securelevel in the BSD kernel by rebooting the system (while the system is running, the securelevel can be raised, but not lowered). As this example illustrates, the introduction of securelevels can prevent some common security exploits, but as a trade-off, it makes the system less flexible, especially when it comes to patching or upgrading applications.
Systrace. OpenBSD's systrace, a policy-based system call access manager, is conceptually similar to SELinux. Like SELinux policies, the systrace policies define which users and programs can access which files and devices in a manner completely independent of UNIX permissions. Proper use of systrace can greatly reduce risks associated with poorly written or exploitable applications. While defining systrace policies is not a simple task, it has been made more palatable by the fact that systrace has been around for a long time and there are many online repositories with systrace sample policies (see the interestingly named Project Hairy Eyeball as an example). Also, systrace includes a policy-generation tool listing every system call available to the application for which the policy is being generated. Although an experienced system administrator could probably still tighten the security of the system by refining the default policy generated by the tool, the defaults are often secure enough for most uses.

OpenBSD 3.5 was released last weekend, following a predictable twice-a-year release pattern. As always, the complete ISO image sets of OpenBSD releases are only available from the project's online store ($40), but the operating system can be installed directly from FTP servers, after booting from a downloadable boot CD or floppy disk. Unlike the FreeBSD installer, OpenBSD does not provide any recommended partitioning scheme, so it is up to the users to set up disk partitions according to their needs. Needless to say, the installer is all text mode, but OpenBSD can serve as a full graphical desktop system as well; besides the rich ports collection available for our compiling pleasure, it also comes with over 2,300 binary applications, including XFree86 4.4, GNOME 2.4 and KDE 3.2, just to name a few desktop components, among the usual range of server software for every purpose.

In many ways, OpenBSD is one of the most remarkable projects in the history of UNIX. With support for 13 architectures and its emphasis on security and integrated cryptography, any system administrator that overlooks OpenBSD where server security is of paramount importance is not doing a proper job. Even if most of us prefer to run Linux on our servers and desktop, there is no doubt that OpenBSD has a rightful place in the OS ecosystem, and a rightful place in every UNIX sysadmin's toolbox.

Comments (17 posted)

Distribution News

OpenBSD 3.5 released

OpenBSD 3.5 is available; click below for the release announcement. This version includes, of course, more security work, along with x86_64 support, ARM support, a number of new device drivers, a reworked packet filter, and much more; see the announcement for details.

Full Story (comments: 7)

Mandrake Linux

MandrakeSoft has announced the release of Mandrakelinux 10.0 for the x86_64 architecture. "Mandrakelinux 10.0 for AMD64 delivers all the features and robustness of Mandrakelinux 10.0 Official to the 64-bit platform from AMD, with an average performance gain of 20% compared to the IA32 version."

Mandrakelinux 10.0 update advisories:

rpmdrake: When MandrakeUpdate was unable to retrieve the hdlist or the synthesis file from an update medium, it used to continue without alerting the user. Now MandrakeUpdate will alert the user and indicate to them to retry the operation later or to delete and re-add the medium in case the directory layout has changed.
shorewall: This new version of shorewall provides updated RFC1918 and bogons files that are needed for proper operation of the firewall.

Comments (2 posted)

Debian GNU/Linux

The Debian Weekly News for May 4, 2004 is out. This week's topics include the discussions about releasing sarge in light of recent editorial changes to the social contract and the proposed amendments that have followed; a short howto on installing Debian stable using Knoppix; and several others.

The Debian-Installer team has announced the fourth beta release of the Debian sarge installer. Improvements in this release include support for arm, hppa, and mipsel architectures bringing the total up to nine supported architectures; experimental support for the 2.6 kernel on i386; detection of existing operating systems; new translations; plus many bug fixes and user interface improvements.

This Bits from the DPL (Debian and OASIS) features a report from Mark Johnson, Debian's representative at OASIS (Organization for the Advancement of Structured Information Standards). "Through our membership we have direct influence into the process of standards development. This benefit has proved particularly beneficial in the development of the XML Catalogs specification. During a key period of work on this specification, two of the seven committee members were from the Debian project. As a result, the final specification will be more easily implementable on Debian than it otherwise might've been."

A DebConf4 schedule has been posted. A small budget was found to provide needy Debian developers with some help for their DebConf travel expenses.

Here's a brief guide on Migrating to Linux Kernel 2.6 in Debian. (Found on Debian Planet)