OpenBSD 6.0 has been released, with tones of improvements. They’re listing this one as one of the biggest changes:
In their latest attempt to push better security practices to the software ecosystem, OpenBSD has turned W^X on by default for the base system. Binaries can only violate W^X if they’re marked with PT_OPENBSD_WXNEEDED and their filesystem is mounted with the new wxallowed option. The installer will set this flag on the /usr/local partition (where third party packages go) by default now, but users may need to manually add it if you’re upgrading. More details can be found in this email. If you don’t use any W^X-violating applications, you don’t need the flag at all.
I ran current for a while without mounting /usr/local wxallowed and did not have any issues. Mostly base with Firefox and a few small apps which did not cause problems.
Went to Release and then Stable a few nights ago. Lots of big changes coming. No more releases on CD, and llvm was imported into base this morning.
Mtier provides free binary updates to stable ports and base system patches of you want to go that route. It’s really a simple system to maintain.
https://marc.info/?l=openbsd-ports&m=147060153102724&w=2
Why does Mozilla stuff need W|X?
http://www.tedunangst.com/flak/post/firefox-vs-rthreads
“…Clearly the reason it takes me thirty seconds to view a single tweet was idiot kids and their infernal javascript frameworks. ”
;D
I didn’t see any mention of Write XOR Execute in that link or the rthreads one it linked to.
kwan_e,
I think an application should have a way to override this. The insecurity that the W^X policy fixes stems from insecure languages, but it can be used legitimately as well.
In the case of Mozilla it might have to do with javascript compilation.
Edited 2016-09-04 14:29 UTC
So any JIT compiler would need to bypass W^X?
kwan_e,
Yeah, it could be useful for JIT compiled scripting languages or virtualization. Sometimes programs in the demo-scene build code on the fly.
I’m reading the email thread, and here are some examples I see:
https://marc.info/?l=openbsd-ports&m=147060153102724&w=2
databases/hs-postgresql-simple ghc
devel/darcs ghc
devel/hs-fgl ghc
devel/jdk/1.7 java
devel/xulrunner/24 xpcshell
lang/libv8 mksnapshot
lang/node mksnapshot
lang/pypy pypy
lang/sbcl sbcl
mail/mozilla-thunderbird xpcshell
www/seamonkey xpcshell
lang/mono mono-boehm
WebKit-1.0
WebKit-3.0
php
@bin bin/mongo
@bin bin/mongod
@bin bin/mongoperf
@bin bin/mongos
@bin bin/mongosniff
PyQtWebkit
Qt5Webkit
py-cryptography
gamma
gengal.bin
haddock
idlj
native2ascii
rmic
uno.bin
They also discuss an issue where the WX flag applied to the executable has the wrong granularity. Meaning you have to mark your executable WX even if your executable doesn’t do it but the libraries you link to do.
Edited 2016-09-04 18:32 UTC
I am going to try it 6.0 out as a workstation again. I’ve been using Fedora as a *nix workstation mainly due to web browsing sucking because of rthreads.
Then you really want -current. The malloc improvement for multi-threaded apps that went in a week ago makes quite a bit of a difference.
Thom —
I believe you made a typo in your article, it should be “tons” not “tones”
Or “tonnes” more likely.
Well is it an imperial number of improvements (tons) or metric (tonnes)?