OpenBSD 3.5: a peek at another free Unix [LWN.net]

May 5, 2004

This article was contributed by Ladislav Bodnar

After reading LWN's recent coverage of SELinux and its implementation in the development releases of Fedora Core 2, several readers expressed disappointment about the complexity associated with this new security model: "SELinux may give administrators extra flexibility, and add some extra 'layers' of protection for critical files, but security pros usually consider complexity to be the enemy of good security - and this system is nothing if not complex," wrote one reader. Still, with several attacks on high-profile Linux servers during 2003, many system administrators are evaluating various security solutions for their mission-critical servers and firewalls. Those of them who are prepared to look beyond Linux might find that OpenBSD is exactly what they need.

Initiated by Theo de Raadt back in 1996, OpenBSD's primary goal is to build a free and highly secure operating system. The developers pride themselves for a remarkable achievement of eight years with only a single remote hole in the default install. Although OpenBSD doesn't support nearly as many processor architectures as NetBSD, its original parent, the latest release of OpenBSD is available for 13 platforms, including Alpha, AMD64, PowerPC, SPARC, as well as i386. But despite fundamental technical differences between Linux and BSD, a system administrator familiar with Linux will find it relatively easy to administer an OpenBSD box, especially after reading the project's online manual (which includes a section about migrating from Linux to OpenBSD), or the superb Absolute OpenBSD by Michael W. Lucas.

How is security in OpenBSD better than in other UNIXes? Let's take a look at some of the more interesting features found this BSD flavor: file flags, securelevels and systrace.

File flags. File flags are an OpenBSD concept enhancing the traditional UNIX file system permissions. Once applied to a file, the flag will either prevent a user, including root, from removing or modifying the file in any way (the schg flag), or will only allow appending new lines to the file (the sappnd flag). A good example of the effectiveness of this concept is making the the entire /bin directory recursively immutable with the schg flag; once applied, it will be very hard for an attacker to place a trojan into the directory. On the other hand, the append-only sappnd flag is often used on log files to prevent potential intruders from covering their tracks. Besides system-level flags available to root only, similarly structured user-level flags allow users to set append-only or immutable flags on files they own.
Securelevels. The concept of file flags works in conjunction with OpenBSD's securelevels, of which there are four: -1, 0, 1 and 2. As soon as a file flag is set, it cannot be removed unless the system is in securelevel 0 or -1. To extend the example from the previous paragraph about making the /bin directory immutable, what happens if an executable file in the same directory needs to get a security patch, but the system is in securelevel 1 or 2? In this case, the system administrator will have to lower the securelevel in the BSD kernel by rebooting the system (while the system is running, the securelevel can be raised, but not lowered). As this example illustrates, the introduction of securelevels can prevent some common security exploits, but as a trade-off, it makes the system less flexible, especially when it comes to patching or upgrading applications.
Systrace. OpenBSD's systrace, a policy-based system call access manager, is conceptually similar to SELinux. Like SELinux policies, the systrace policies define which users and programs can access which files and devices in a manner completely independent of UNIX permissions. Proper use of systrace can greatly reduce risks associated with poorly written or exploitable applications. While defining systrace policies is not a simple task, it has been made more palatable by the fact that systrace has been around for a long time and there are many online repositories with systrace sample policies (see the interestingly named Project Hairy Eyeball as an example). Also, systrace includes a policy-generation tool listing every system call available to the application for which the policy is being generated. Although an experienced system administrator could probably still tighten the security of the system by refining the default policy generated by the tool, the defaults are often secure enough for most uses.

OpenBSD 3.5 was released last weekend, following a predictable twice-a-year release pattern. As always, the complete ISO image sets of OpenBSD releases are only available from the project's online store ($40), but the operating system can be installed directly from FTP servers, after booting from a downloadable boot CD or floppy disk. Unlike the FreeBSD installer, OpenBSD does not provide any recommended partitioning scheme, so it is up to the users to set up disk partitions according to their needs. Needless to say, the installer is all text mode, but OpenBSD can serve as a full graphical desktop system as well; besides the rich ports collection available for our compiling pleasure, it also comes with over 2,300 binary applications, including XFree86 4.4, GNOME 2.4 and KDE 3.2, just to name a few desktop components, among the usual range of server software for every purpose.

In many ways, OpenBSD is one of the most remarkable projects in the history of UNIX. With support for 13 architectures and its emphasis on security and integrated cryptography, any system administrator that overlooks OpenBSD where server security is of paramount importance is not doing a proper job. Even if most of us prefer to run Linux on our servers and desktop, there is no doubt that OpenBSD has a rightful place in the OS ecosystem, and a rightful place in every UNIX sysadmin's toolbox.

(Log in to post comments)

OpenBSD 3.5: a peek at another free Unix

Posted May 6, 2004 4:34 UTC (Thu) by gte223j (subscriber, #6492) [Link]

this was a very good article Ladislav, I really enjoy reading your stuff here and on distrowatch. i would like to point out a point of disagreement though

you said

"the system administrator will have to lower the securelevel in the BSD kernel by rebooting the system"

this may be true to some degree, however, all you have to do is go to run level 1 (single user console mode) by typing "kill -15 1" once in runlevel 1, all you have to do is edit the /etc/rc.securelevel to whatever(-1,0,1) and then type exit to return to runlevel 5. you will then notice that you are in whatever runlevel that you specified in the file:-)

and some people might say that this is similar to a reboot and i would say that pf is still routing traffic!!!!!!!!! and the network stays up!!!!

i have two scripts (syslock, sysunlock) that i use for my firewall/router. i simply execute the syslock script which recursively sets the schg flag for lots of directories, bumps up the securelevel 1->2 and then edits the /etc/rc.securelevel to reflect this. the sysunlock does the same things in reverse, unlocks the filesystem and then lowers the secure level to 1. i have to run the sysunlock script in single user though. but upon exiting to run level 5 everything is as it should be, an unlocked filesystem and a securelevel of 1

thanks for writing a wonderfull article, i really love your distrowatch site and am quite pleased that you decided to include *bsd :-)

oh yeah, i forgot to mention that i too own "Absolute OpenBSD" and absolutely love it. whenever i'm playing with my firewall/router away from my linux boxen i always have that book close by:-)

Brian P.

Linux has file-flags too

Posted May 6, 2004 12:45 UTC (Thu) by eru (subscriber, #2753) [Link]

The point was not just having file flags (or file attributes) but their interaction with the securelevels. From Linux "man chattr" (on RH 7.3):

A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser can set or clear this attribute.

So a cracker who acquires root privileges can change it. On OpenBSD (and FreeBSD) to "lock down" critical files, you set the immutable flag and then raise the securelevel. After this not even the root can change the file without a reboot. A feature I would like to see in Linux as well.

Linux has file-flags too

Posted May 6, 2004 17:03 UTC (Thu) by gte223j (subscriber, #6492) [Link]

you said

"After this not even the root can change the file without a reboot."

all you have to do is go to run level 1 (single user console mode) to change the imuutable flags and file(s), in linux you just have to be root to run chattr.

Linux has file-flags too

Posted May 6, 2004 17:17 UTC (Thu) by jstrand1@rochester.rr.com (guest, #6394) [Link]

"all you have to do is go to run level 1 (single user console mode) to change the imuutable flags and file(s), in linux you just have to be root to run chattr."

This (IMO) downplays the added security. Openbsd requires physical access to use the machine in console mode-- in linux, root remote access is enough.

Linux has file-flags too

Posted May 6, 2004 19:32 UTC (Thu) by flewellyn (subscriber, #5047) [Link]

"Openbsd requires physical access to use the machine in console mode-- in linux, root remote access is enough."

This is true, except that with at least some versions of login, you can use the file /etc/securetty to specify which terminals root is allowed to log in from. And you can restrict ssh so that it does not allow root access from anywhere. This can help reduce the vectors for getting a root login. It won't help with privilege escalation bugs, but there are at least some measures in place.

Linux has file-flags too

Posted May 8, 2004 6:34 UTC (Sat) by tzafrir (subscriber, #11501) [Link]

So if a problem is discovered in one of the binaries in /bin the only way to update it is by rebooting?

Linux has file-flags too

Posted May 9, 2004 22:13 UTC (Sun) by sweikart (subscriber, #4276) [Link]

> ... the superuser can set or clear [immutable/append-only attributes].

With a Linux kernel, you can prevent clearing these flags by dropping CAP_LINUX_IMMUTABLE from the Capability Bounding Set by doing:

  echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-bound

And, to make the Linux kernel more secure then the similar OpenBSD setup, you can also drop CAP_SYS_MODULE and CAP_SYS_RAWIO (and similar capabilities). For a good description, see "Fun with the capability bounding set" at

  http://lwn.net/1999/1202/kernel.php3

Linux has file-flags too

Posted May 9, 2004 22:28 UTC (Sun) by sweikart (subscriber, #4276) [Link]

> With a Linux kernel, you can prevent clearing these flags by
> dropping CAP_LINUX_IMMUTABLE from the Capability Bounding Set
> by doing:
>
>  echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-bound

Oops, I copied this line of code from the LWN article, and forgot to change it to drop CAP_LINUX_IMMUTABLE (the example above drops CAP_SYS_MODULE). To drop CAP_LINUX_IMMUTABLE, do

  echo 0xFFFFFDFF ?> /proc/sys/kernel/cap-bound

OpenBSD 3.5: a peek at another free Unix

Posted May 6, 2004 12:20 UTC (Thu) by oseemann (subscriber, #6687) [Link]

for a more complete overview of openbsd's security features see:

http://www.openbsd.org/security.html

excerpt:

overflow protection with W^X and ProPolice

heavy use of random numbers (for process IDs, port numbers, ...) making it more difficult to predict sensitive information (like with the recent tcp vulnerability)

extensive code audits, use of secure string operations (like strlcpy, yeah they go through *all* the code and replace functions where necessary)

privilege separation for sshd, named, isakmpd, ...

what i like is that the complete system is relatively compact. it comes from one cd and uses only a few hundred MBs. security patches are transparent (patch && make). the documentation is very good.

on the bad side is that the performance is not as fast as on linux/freebsd (personally, not a problem for me. it's doing fine on a 200mhz, 32mb machine as a firewall, router). and much of the software comes by default in old (but stable, relatively secure) versions.