OpenBSD strives to be the most secure UNIX derivation. Design principles, such as code auditing, extensive use of encryption, and careful configuration choices, combine to ensure OpenBSD’s secure by default philosophy holds true. This article gives you a close look at the operating system so secure that it was once banned for use in a DEF CON competition, where crackers go after each other’s systems.
While the OpenBSD team appears to be most concerned with security, much of that is a natural byproduct of a struggle towards correctness. That’s the beauty of OpenBSD — not merely that it is secure, but that it is designed to be clean, comprehensible, and correct from the ground up. That includes drivers — no binary blobs here.
Others could take a hint.
Edited 2006-08-12 19:39
Ohers could take a hint?
You talking to me? You must be talking to me! You trying to start trouble? F-you!
Certainly agree – I wish there really was more concern about security for Linux kernel not just addon projects to patch things .
The constant security anouncements for the kernel (& the rest) constantly remind me of the lack of security focus in Linux & how OpenBSD has the philosophy Id actually like to see in Linux .
I guess that it is ,like bug fixing ,another one of these things less rewarding than adding fancy new features.
The “Linux is secure mantra” is kind of hollow with constant security advisories compared to OpenBSD & exploits which are possible on Linux ,OSX & Windows.
Just IMO
I submit that there is a problem space, with reasonable tradeoffs in several dimensions, and that the whole FOSS realm is better for having a spectrum of approaches.
OpenBSD, in my admittedly brief experience, can be very finecky about the hardware in use. A choice in favor of OpenBSD might be a choice against that really cutting-edge hardware. Truly, YMMV.
The “Linux is secure mantra” is kind of hollow with constant security advisories compared to OpenBSD & exploits which are possible on Linux ,OSX & Windows.
You are ignoring the context. The mantra you are talking about is just in relation to Windows. Im quite sure no one who knew what they were talking about was ever trying to suggust that it was perfect, or more secure than BSD.
how OpenBSD has the philosophy Id actually like to see in Linux .
If you compare FC5 and OpenBSD there’sn’t much difference when you do a non GUI install.
OpenBSD can’t possibly audit all the packages from ports only the default install which is pretty useless for a desktop.When you install more packages to make for example a somewhat equivalent desktop you are just as vulnerable as any other linux desktop with the same packages installed.Maybe more vulnerable because there’s a significant smaller team that audit.
Exellent secure server OS nonetheless.
hmm how can you say more vulnerable? even in ports w^x, propolice and other security enhancements applies.
you can even compile ports under systrace.
hmm how can you say more vulnerable? even in ports w^x, propolice and other security enhancements applies.
Because clearly,distilled from the reactions everything has a non-GUI priority.Nothing wrong with that,what’s the use of X on a router for example?
Due to a relativ small security staff they can’t apply their strict and thorough code analysis on everything but the base packages.So everything that’s beyond the borders of a default install is as vulnerable as any equivalent secure OS (FC for example with propolice,fortify source,SELinux,execshield).Maybe more because less people care about those extra packages like xorg and co.
If you stick to the main purpose of OpenBSD than you have in my opinion a very secure and exellent server OS.
Secure by default (for the default install).
xorg in openbsd is different from many major linux distro’s xorg. you’ll notice that privsep is included in openbsd xorgs.
i also remember the old xpm vulnerability in xorg that does not almost affect openbsd but affected almost all major linux distro.
and also the old font.aliases bug in xfree that can cause arbitrary execution on almost all linux distro (including fedora) but can only cause a crash in openbsd.
see, it is not as vulnerable as others.
Cool.Would be nice though if they would launch a desktop project:-),doubt that it will ever happen.
Agreed. However, in the spirit of “correctness matters,” it’s important to note that OpenBSD cannot rightfully be called the “Most Secure Unix OS.” Notably because it is not UNIX. It is UNIX-like, and provides many of the features that UNIX provides, but it does not comply with the Single UNIX Specification standards.
So, arguably, with only a handful of true UNIX operating systems left, such as: Mac OS X (which as of Leopard will be certified — see Apple website), Solaris, HP-UX, AIX, SCO UNIX, and maybe one or two others I can’t think of at the moment — which of those is the most secure? That would be a very interesting thing to find out.
While OpenBSD isn’t really UNIX, its contributions are certainly invaluable and its work should not be ignored .
Edited 2006-08-13 04:07
The “Single Unix Specification” has become about as relevent nowadays as the Common Desktop Environment (CDE)… Very few people care anymore. And really, the only reason OpenBSD and the other BSDs are not already certified is:
a. It costs ALOT of money.
b. The developers dont really care.
The differences between the different BSDs and different Linux distros is in reality quite a bit less than the differences between the different “blessed” versions of Unix… So what is the point of the standard? Posix compliance is much more important and pretty much all the BSDs and Linux manage to be pretty good about that.
Since my original comment was unfairly moderated, and people may want to know what this is in response to. Here is the original comment the poster responded to:
Agreed. However, in the spirit of “correctness matters,” it’s important to note that OpenBSD cannot rightfully be called the “Most Secure Unix OS.” Notably because it is not UNIX. It is UNIX-like, and provides many of the features that UNIX provides, but it does not comply with the Single UNIX Specification standards.
So, arguably, with only a handful of true UNIX operating systems left, such as: Mac OS X (which as of Leopard will be certified — see Apple website), Solaris, HP-UX, AIX, SCO UNIX, and maybe one or two others I can’t think of at the moment — which of those is the most secure? That would be a very interesting thing to find out.
While OpenBSD isn’t really UNIX, its contributions are certainly invaluable and its work should not be ignored .
Here’s his response, and mine:
The “Single Unix Specification” has become about as relevent nowadays as the Common Desktop Environment (CDE)… Very few people care anymore. And really, the only reason OpenBSD and the other BSDs are not already certified is:
That is far from true. The developers of OS’ like Linux in many cases have purposefully deviated from the standard. It may not matter to you, but whenever developers from *real* UNIX platforms try to compile and run their application, they discover that other OS’ such as OpenBSD, are not real UNIX because they do not provide completely compatible API implementations, or do not even implement specific parts of the standard!
a. It costs ALOT of money.
b. The developers dont really care.
[/i]
a) Yes, it costs a lot of money, but that’s not why they’re not compliant. Money is only needed for official certification, not for compliance.
b) This has become obvious, and is why it’s a lie to call them UNIX.
Posix compliance is much more important and pretty much all the BSDs and Linux manage to be pretty good about that.
That’s where they fall flat though. Linux, for example, is purposefully not fully POSIX compliant. Read discussions on the Linux kernel where Linus decided the standard was dumb and they decided to do their own thing. FreeBSD, etc. are *mostly* POSIX compliant, but partial compliance is only “good enough” — it isn’t enough to call them “compliant.”
This is a myth that needs to be busted. Linux and many other alternative OS’ are NOT fully POSIX compliant, are NOT UNIX, and likely will never be. There’s nothing wrong with that, but people need to stop spreading the myth that they are something that they are not.
Edited 2006-08-13 22:24
Okay: how about instead of calling it the “Most Secure Unix OS”, we simply call it the “Most Secure OS”?!
Sadly in their obsession towards “correctness” the rest of their system has become static. Their installer has always been a spartan CUI, the ports system is a standard BSD setup and updating the entire system is a total pain. What should be noted is that one must balance correctness (read: rigidity) with expansion (read: flexibility). It is not a binary choice, both must be paid attention to.
Now I’m not complaining about lack of eye-candy or happy GUIs to hold my hand, I’m just noting a lack of progress in logical features which benefit both the user and the administrator. That said, their security is still very impressive.
Quick rebuttal…
FWIW, I, and others, am quite pleased the installer can still fit on a single floppy and, while more people might not take advantage of it, you can also do a headless installation via a serial console—and I hope this doesn’t change in the future just to appease the fashion gods. This is one of the quickest installers I’ve ever used and, to be quite honest, it does exactly what an installer is supposed to do—get the OS on the box, quickly. If I want pretty things or feel like making massive customizations, I can easily do so after the OS is installed. So, many actually consider this installer far ahead in terms of “progress in logical features which benefit … the administrator”—OpenBSD has never been geared towards the users of Windows-land.
As for the ports systems, what more do you really want than “pkg_add [enter name of software package here]” and quickly watching the software and all its dependencies get downloaded and properly installed? How much easier can they make it? Windows doesn’t even do this.
And as for updating the entire system, I’ll concur, but I don’t consider it a “total pain.” OpenBSD is somewhat known for its lack of hand holding, but you are still only a quick “cvs sync,” recompilation of the kernel and recompilation of userland away from updating. So, there are three simple steps—which can be readily automated with a little scripting.
For the tasks and user base that OpenBSD is best suited for, there is consistent progress and “it Just Works” features throughout the OS. My proverbial two cents…
FWIW, I, and others, am quite pleased the installer can still fit on a single floppy and, while more people might not take advantage of it, you can also do a headless installation via a serial console—and I hope this doesn’t change in the future just to appease the fashion gods. This is one of the quickest installers I’ve ever used and, to be quite honest, it does exactly what an installer is supposed to do—get the OS on the box, quickly.
It’s a fast installer if you’ve used it about 10 times and thus are intimately familiar with it. For a newbie, it takes a couple of hours to pour through the documentation to figure out how to use it. It gets mind-blowingly complicated if you want to install OpenBSD on a hard drive to multiboot with other OSs. If you are willing to give it the entire hard disk (and I guess that’s what you do), then it isn’t as bad, but it’s hardly intuitive.
I see no reason why OpenBSD couldn’t have both – an easy-to-use text-mode installer (such as Slackware’s or Debian’s) plus the esoteric command line installer that you know and love. Installers don’t occupy that much disk space.
And OpenBSD does not fit on a single CD – last time I ordered it, I received three CDs, and needed two of them to get the apps installed, plus I had to download some more. But if fitting it on one disk is so important, why not consider making a DVD release? Then it wouldn’t be necessary to download so many ports to get a working desktop system.
I firmly believe that the Spartan installer cuts OpenBSD’s market share to about 1/10 of what it could be. A pity – it’s a good OS in many ways.
I firmly believe that the Spartan installer cuts OpenBSD’s market share to about 1/10 of what it could be.
Where did you get these figures from? Out of thin air, by any chance?
OpenBSD has a specific purpose and very limited resources. The small team of coders have to strictly prioritise their work. The installer works fine, so I would think redesigning it is pretty low on their ‘to do’ list.
Anyone who is put off using OpenBSD because they have to read the manual first is probably not someone who should be running it anyway – even if they completed an install they wouldn’t know what to do next without a wizard popping up.
I look at it significantly differently, the spartan installer as you call it, the clean and unbloated installer, is part of the reason the users of OpenBSD are not a gaggle of mindless GNUbies and Windrones filling the mailing lists with inane questions like why there isn’t a forum on the website. Your magical graphical installer? People even tried making one, google for GOBIE, noone liked it and noone wanted it, it was exactly what you are asking for and noone gave a crap.
My first install took 15 minutes, including download time, it was the first Unix I ever touched, how hard is it to hit enter?
OpenBSD isn’t trying to be 10 times as popular as it is now, it’s doing just fine for what it’s goals are. Things are done how the developers want and in no way whatsoever how users want them.
And yes, OpenBSD in it’s entirity fits on a CD, if you want packages and random nonsense like X that’s entirely up to you. Packages and X are not part of OpenBSD, they are provided for convenience.
I firmly believe that the Spartan installer cuts OpenBSD’s market share to about 1/10 of what it could be. A pity – it’s a good OS in many ways.
I agree with you.It’s a nobrainer to secure an OS with so little installed by default.Lets see if they could manage to keep the overall security as high as it is now, with a average desktop install.
A good GUI installer (fedora,opensuse) although i’m capable of doing everything from the cli makes me in my humble opinion more productive.Especially when making my raid partions,logical volumes,setting strides,etc.Why should i type a lot uneeded when the routine is a few clicks away?That doesn’t make the cli less usefull at all,i still consider it my best friend so to speak.
and an addition to what Bink has said, i think a simple steps like these:
export PKG_PATH=/path/or/url/to/new/packages
pkg_add -u -F upgrade
is not a painful way to upgrade packages.
and i think the openbsd team should not change their installer either. its small and fast. its very rational and logical, a simple understanding of the english language is all it takes to install openbsd. ports install can always be done after the base installation.
rest of the system become static? how? there’s many innovation happening in openbsd (e.g. pf, CARP, OpenBGPD, OpenVRRP, good wireless device support, etc.)
One other thing that this article doesn’t mention that is quite interesting is that OpenBSD’s implementation prevents arbitrary execution of memory even on hardware that doesn’t support the NX (no execute) bit. This is invaluable to help prevent buffer overflow exploits.
Fedora has that too amoung many other security features
http://fedoraproject.org/wiki/Security/Features
that’s also included in openbsd (and they’re the first to implement it on the base system as far as free unix-like os is concern e.g. propolice, nx bit), yes there may be pax or any other protections patches in linux but the question is “is it included in the base?”, the big answer is NO. if you want security, it must be from the base, from the ground up. (anyway i agree w/ you, fedora did a very good job in securing their distro). but other thing openbsd have that “might” not have on other major linux distros are the following:
W^X, .rodata segment, guard pages, randomized malloc()and mmap()
atexit() and stdio protection
privilege separation of common services “by default” (e.g. syslogd, dhcpd, tcpdump)
strlcpy() and strlcat()
chroot jailing of common services “by default” (e.g. httpd, bind)
and the constant code auditing (w/c i think linux does not have)
NX is a pretty old concept even in hardware ( VAX ) and like it was already mentioned OpenBSD is hardly the only OS to support it. Also while OpenBSD is very nice for firewalls and servers ( in most cases ) the security audits at the distro level are hardly what needs to be done. This results in a slow distribution cycle and old versions of pretty much ever software gets included. Now this might be now that big of a deal with web admins but as a developer I would surely like to use gcc 4.x ( and it is stable and secure enough ).
But I must admit that while I don’t use OpenBSD on my workstation it is on my firewall/router …
a new release every 6 months is fast enough for me and you can always use gcc4 from ports.
hmm older software? i think debian stable is using older softwares than openbsd stable branch
Old versions? What are you talking about? What do you prefer, the latest Apache from the Apache FTP Server or the “audited, patched, fixed” older version that comes with OpenBSD that “serves its purpose well”.
The goal is to provide SECURE software, not the latest; many of the patches OpenBSD produces are not accepted by the original developers of the piece of software, so until that happens, they refuse to include a newer “unsecure” piece of software.
Apache is a very nice example of that…
No, Apache not being updated is because of the disgusting mess of a licence that Apache now uses. The security patches being ignored was why the developers dislike the Apache project, not the reason they will never use any of their newer code.
LOL, you misunderstood me (or perhaps I expressed myself incorrectly).
I meant Apache Group won’t accept patches from OBSD group. And OBSD group won’t accept unpatched versions from Apache; then there’s the Licence issue which is for real… the new Apache 2.0 Licence is a “mess of a licence” (sic)
But there are other projects that could be used as an example, most “semi-important” pieces of software in OpenBSD (Apache, Bind, Samba, Sendmail, etc.) have OpenBSD Patches; some of these patches make it to the originals, some are not accepted… unfortunely.
Then we have the Licences issues, if it’s not really free, it won’t make it.
Then you have “old and huge” problems like the QMail story… but that’s another (long) story.
http://www.informit.com/articles/article.asp?p=439601&seqNum=3&rl=1
OpenBSD is the most secure OS out there.
And the biggest douche in the world runs it.
I’d say there’s some sort of relationship, kind of like moore’s law.
I mean, Ballmer seems like a cool guy, he’s amusing. Look at Microsoft’s security record with Windows.
Coincidence? You be the judge.
Ballmer always struck me as a twerp.
Certainly agree – I wish there really was more concern about security for Linux kernel not just addon projects to patch things.
The constant security anouncements for the kernel (& the rest) constantly remind me of the lack of security focus in Linux & how OpenBSD has the philosophy Id actually like to see in Linux
So what are you doing to help with the “problem”? If you are good at auditing code then please help out. There have been recent initiatives to find and squash bugs in the Linux kernel:
http://scan.coverity.com/
There is a quote in chapter four of `Absolute OpenBSD: Unix for the Practical Paranoid` by Michael W. Lucas that I like. “Blowfish and penguin arguing over fridge space roommates most vexing”.
I use both BSD and Linux. It really depends on what the customer wants. OpenBSD fits its roles extemely well, and, imagine this, even makes a great desktop.
I have found that 90% of Windump users, which is a huge group, could not backup up their systems and expect miracles, which we in the BSD, Linux, MacOSX, and *nix, perform daily for them, on their systems.
Keep up the excellent work OpenBSD and ignore all morons.
Edited 2006-08-13 15:48
“Their installer has always been a spartan CUI,”
And? Maybe it’s by choice because many people, including me, like that? I’d call it streamlined.
“the ports system is a standard BSD setup”
How exactly is this a disadvantage?
“updating the entire system is a total pain.”
As someone who actually do update and maintain numerous OpenBSD system I can say that it’s not a pain.
“OS’ such as OpenBSD, are not real UNIX because they do not provide completely compatible API implementations, or do not even implement specific parts of the standard!”
Not being certified does not mean it’s not compliant.
“but partial compliance is only “good enough” — it isn’t enough to call them “compliant.”
The certified commercial *nixes aren’t 100% compliant either.