Limitations vs. the competition

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Limitations vs. the competition

Justina Colmena
I have migrated from OpenBSD to Fedora for a couple of reasons -- and
these may be outdated, as it has been a while. The issues with OpenBSD
that I ran into personally were as follows

 * limited Unicode / UTF-8 support in OpenBSD: this was an issue
   especially for installing databases such as MySQL and PostgreSQL
   because there were no good sorting routines available for the
   non-ASCII characters which are used in almost all languages except
   rudimentary American English.

 * the race conditions that were documented at one time in systrace,
   the disappearance of that utility in OpenBSD, and the lack of its
   development into anything similar to NSA's SELinux, with the detailed
   security policies that are developed for different applications and
   services -- such mandatory access control policies, effectively
   enforced, for example, theoretically make chroot totally unnecessary
   to secure apache httpd.

 * lack of support as a virtualization host -- this need not be the job
   of OpenBSD per se, but perhaps a very lightweight, very secure
   hypervisor, such as sel4 https://sel4.systems/ for example, could
   be run with OpenBSD as its main guest and used to conrol other
   guests under virtualizaton.

I do want to mention, though, that vultr.com offers as one of its
options VPS preinstalled with OpenBSD.  I realize that OpenBSD is free
software and a great O/S, but there is always room for development and
improvement, and I just want to offer these points for discussion and
debate.

I'd like to get back into OpenBSD, especially if there are ideas to
mitigate some of these issues.  It would also be interesting if the
OpenBSD team could point out any flaws in SELinux similar to the ones
they experienced with systrace.

Reply | Threaded
Open this post in threaded view
|

Re: Limitations vs. the competition

Austin Hook-2

My take on the philosophy of OpenBSD:

Along with "security first", essentially OpenBSD is the by product of
whatever it is that it's developers have found interesting to work on.  
Features that have security holes will be dropped whenever discovered,
until some developer finds it interesting to work on them.

Of course some reward might also help a developer find something
interesting.  That has been known to happen.

So, I think, either donating money, employment, or code, or some kind of
resource is the answer, each time you find something almost good enough
about OpenBSD.  Otherwise feel free to use other tools if you need them.

There really is no competition in the sense you are thinking.  The one
place there might be competition, is finding the clarity of great
documentation and clean secure code to surround your own efforts as you
invest your time beside it.

ALH

On Sat, 14 Oct 2017, Justina Colmena wrote:

> I have migrated from OpenBSD to Fedora for a couple of reasons -- and
> these may be outdated, as it has been a while. The issues with OpenBSD
> that I ran into personally were as follows
>
>  * limited Unicode / UTF-8 support in OpenBSD: this was an issue
>    especially for installing databases such as MySQL and PostgreSQL
>    because there were no good sorting routines available for the
>    non-ASCII characters which are used in almost all languages except
>    rudimentary American English.
>
>  * the race conditions that were documented at one time in systrace,
>    the disappearance of that utility in OpenBSD, and the lack of its
>    development into anything similar to NSA's SELinux, with the detailed
>    security policies that are developed for different applications and
>    services -- such mandatory access control policies, effectively
>    enforced, for example, theoretically make chroot totally unnecessary
>    to secure apache httpd.
>
>  * lack of support as a virtualization host -- this need not be the job
>    of OpenBSD per se, but perhaps a very lightweight, very secure
>    hypervisor, such as sel4 https://sel4.systems/ for example, could
>    be run with OpenBSD as its main guest and used to conrol other
>    guests under virtualizaton.
>
> I do want to mention, though, that vultr.com offers as one of its
> options VPS preinstalled with OpenBSD.  I realize that OpenBSD is free
> software and a great O/S, but there is always room for development and
> improvement, and I just want to offer these points for discussion and
> debate.
>
> I'd like to get back into OpenBSD, especially if there are ideas to
> mitigate some of these issues.  It would also be interesting if the
> OpenBSD team could point out any flaws in SELinux similar to the ones
> they experienced with systrace.
>

Reply | Threaded
Open this post in threaded view
|

Re: Limitations vs. the competition

andrew fabbro
In reply to this post by Justina Colmena
> On Sat, Oct 14, 2017 at 9:27 AM, Justina Colmena <[hidden email]> wrote:
> I have migrated from OpenBSD to Fedora for a couple of reasons -- and
> these may be outdated, as it has been a while.

I take it "a while" has been quite a while - ?
 
>  * limited Unicode / UTF-8 support in OpenBSD: this was an issue
>    especially for installing databases such as MySQL and PostgreSQL
>    because there were no good sorting routines available for the
>    non-ASCII characters which are used in almost all languages except
>    rudimentary American English.

OpenBSD has supported UTF-8 since...2010ish?  A long time.

>  * the race conditions that were documented at one time in systrace,
>    the disappearance of that utility in OpenBSD, and the lack of its
>    development into anything similar to NSA's SELinux, with the detailed
>    security policies that are developed for different applications and
>    services -- such mandatory access control policies, effectively
>    enforced, for example, theoretically make chroot totally unnecessary
>    to secure apache httpd.

This could be rephrased as Linux's lack of development of anything similar to pledge :-)  If you missed pledge, Theo has several talks on YouTube about it, e.g.:

2015: https://www.youtube.com/watch?v=F_7S1eqKsFk

2017: https://www.youtube.com/watch?v=FzJJbNRErVQ

What is your ultimate goal?  A secure system?  There are numerous security features that OpenBSD has that Linux doesn't have and refuses to add.  Does Linux have pledge?  Random PIDs?  Does it use arc4random all over the place because it can?  Which platform would you say has a more robust set of memory protections?  You could probably go to openbsd.org/security.html and use it as a checklist of security features missing in other operating systems.

Maybe for your needs, SELinux is a better choice but personally, it's all theory until someone's knocking on the door, and OpenBSD has more than proven itself in that context.  Certainly, OpenBSD has the better track record.

A picture is worth a thousand words...no idea what the animated gif exchange rate is, but this has always summed it up for me re: OpenBSD security:

https://securityreactions.tumblr.com/post/80685010067/that-one-openbsd-box-during-the-pentest
 
>  * lack of support as a virtualization host -- this need not be the job
>    of OpenBSD per se, but perhaps a very lightweight, very secure
>    hypervisor, such as sel4 https://sel4.systems/ for example, could
>    be run with OpenBSD as its main guest and used to conrol other
>    guests under virtualizaton.

OpenBSD has had native support for running as a VM host officially since 6.1 earlier this year: http://man.openbsd.org/vmm.4

To be fair, OpenBSD developed its support for VM hosting a lot later than other projects.  That's just the nature of having a smaller team - they can't focus on everything concurrently.  But it's been in the works since 2015: https://undeadly.org/cgi?action=article&sid=20150831183826

You can use vmm to run OpenBSD, Linux, etc. guests.  E.g.: https://medium.com/@dave_voutila/docker-on-openbsd-6-1-current-c620513b8110

> I do want to mention, though, that vultr.com offers as one of its
> options VPS preinstalled with OpenBSD.

BTW, you can actually run OpenBSD on any VM/VPS provider that offers KVM.  There's nothing special about Vultr other than that they streamline the install.  Nothing against them and they're a fine provider, but it's trivial to run OpenBSD on thousands of VM providers.  Typically you mount the ISO in the provider's Solus (or whatever) control panel, boot off it in the console, and then it's a standard bsd.rd install.


--
andrew fabbro
[hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Limitations vs. the competition

Justina Colmena
On Sun, 15 Oct 2017 05:59:14 -0700
Andrew Fabbro <[hidden email]> wrote:

> OpenBSD has supported UTF-8 since...2010ish?  A long time.

point taken. yes, it may have been that long... I may have to try it
out again and report back since i do need another virtual server for a
database anyways, as i have too much other "stuff" running on my present
server.

> ... Linux's lack of development of anything
> similar to pledge :-)  If you missed pledge, Theo has several talks
> on YouTube about it, e.g.:
>
> 2015: https://www.youtube.com/watch?v=F_7S1eqKsFk
>
> 2017: https://www.youtube.com/watch?v=FzJJbNRErVQ
>
> What is your ultimate goal?  A secure system?  There are numerous
> security features that OpenBSD has that Linux doesn't have and
> refuses to add.  Does Linux have pledge?  

pledge is well and good, and definitely to be commended, but from my
understanding that is an internal security feature for a program to
secure itself, not to provide an extra layer of security on third-party
programs (ports) which the OpenBSD team does not necessarily have the
time to audit or the clout to effect upstream security patches,
especially for openbsd-specific improvements.

the selinux security policies

> Random PIDs?

these are definitely an option in the Linux kernel, with or without
SELinux. i am not really sure why the distributions don't enable them by
default, but at the same time i am not sure of the importance of the
ability to guess a process' PID versus the permission of any user to
view a complete ps listing.

> OpenBSD has had native support for running as a VM host officially
> since 6.1 earlier this year: http://man.openbsd.org/vmm.4

that is very new then, awesome!

> BTW, you can actually run OpenBSD on any VM/VPS provider that offers
> KVM.  There's nothing special about Vultr other than that they
> streamline the install.  Nothing against them and they're a fine
> provider, but it's trivial to run OpenBSD on thousands of VM
> providers.  Typically you mount the ISO in the provider's Solus (or
> whatever) control panel, boot off it in the console, and then it's a
> standard bsd.rd install.
 
yes and I have. i just noticed and i thought it worth mentioning that
that particular provider now has a convenient preinstalled image for
OpenBSD, (whereas before i installed it just as you described.)

unfortunately, i am on a budget, so i bought a cheap laptop for <$200,
kicked windows 10 and office 365 off and installed fedora linux,
because openbsd does not support the hardware on it. however i
certainly can run openbsd as a vm guest on this laptop when i have the
time to experiment with it -- 4g memory and 4 cores amd64 -- otherwise
a rather basic barebones model, no bluetooth, no cdrom.

funny story, i bought the laptop at target downtown seattle, and as
soon as i got online with linux, i bought a cheap plane ticket to
anchorage leaving that evening, and i skipped town to get away from
that marijuana-dealing city attorney who was filing false criminal
charges against me

http://blogs.seattletimes.com/pot/2014/07/11/city-attorney-pete-holmes-apologizes-for-taking-pot-to-work/

having me falsely committed to the state insane asylum in steilacoom,
where they threw a chair at me clear from redmond, and so on and so
forth. people these days are just so amazingly complicit in organized
crime, in total denial of the holocaust-level white nationalist war
crimes taking place, while doing absolutely nothing to stop such crimes.

"HP Notebook Model 14-an012nr"
"Realtek Radio Model RTL8188EE"