[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: will switching to OpenBSD be easy?



> > I dunno.  I keep running into security things that affect BSD's
> > but not OpenBSD. 
> 
> Sometimes it's the other way around. For example, the root hole in
> OpenBSD ftpd that was patched earlier this month did not affect
> FreeBSD.

Yeah. It shows what the addition/removal of one little "feature" (in
this case, printing the directory name in the creation succeeded
message) can do. But that was a legitimate hole (that also affected
linux ports of the openbsd ftpd).

> > The first one, that made me the OpenBSD
> > convert, was a big set of holes in LPD.
> 
> >From '97? Have there been lpd holes since?

Recent LPRng holes (which is what FreeBSD uses)

> 
> > Those buffer overflows
> > had been removed from OpenBSD's stuff just because it was wrong
> > - the exploit came much later.
> 
> [snip]
> 
> > Today's procfs warnings give me pause once again.
> 
> The one thing about OpenBSD that sometimes makes me wonder, and this
> may be flame bait, is how quiet the fixes are. Maybe I just don't look
> in the right places, but the procfs bugs, local root exploits, in
> FreeBSD announced recently were _really_ noisy, whereas the patch of
> the remote root exploit for OpenBSD ftpd earlier this month was
> quiet (or at least I did not hear much besides a little note in the
> errata). I hope you are not running a release-version OpenBSD ftpd.

I consider this flamebait, in a way, just because Theo and the OpenBSD
team have recently started doing The Right Thing (tm) when it comes to
exploitable errata. Subscribe to security-announce. It was used for
both the ftpd and the kerberos vulnerabilities.

This hasn't always been the case, which is why discouraging remarks
make me jump a little more than normal. The most you can say is that
the security-announce list is not cc:d to ten other lists. However, I
think its reasonable to require people who want security announcements
to sign up for one more, extremely low traffic list.

> Your points do have valdity. If there is some feature in one brand of
> *BSD that you want, you should use it. And OpenBSD did do the code
> audit and caught a lot of base system bugs that other *BSD's are only
> now catching up with. But I would tend to stick with my assertion that
> as far as security goes, if you already know the steps for setting up
> a secure system, stick with the one you know best and feel comfortable
> with.

This is very much true in the general sense. The OpenBSD approach,
however, is to create a system that doesn't NEED to be secured. Out of
the box, it can boot on a network and not be exploited. This has been
the case (taking into account the most current released version of
OpenBSD) for 3 years now.

But yeah, if you're going to be running imap and imp and pop and shell
access and for whatever reason it makes you more comfortable to secure
all of that on a Linux box, then thats what you should do. I find the
actual securing and auditing of services is just as easy on OpenBSD.
but maybe thats just me ;)

> -- 
> Crist J. Clark                           cjclark_(_at_)_alum_(_dot_)_mit_(_dot_)_edu

jeff



Visit your host, monkey.org