Re: [vox-tech] Re: OpenBSD and Security
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [vox-tech] Re: OpenBSD and Security
On Thu, Apr 12, 2001 at 06:21:40PM -0700, Adam Getchell wrote:
> > I don't see how this is true. Openbsd has the same security problems
> > in sendmail, named, openssh, ftpd that the rest of the distributions
> > have. Either they don't do line by line security audits of PORTS
> As I mentioned in my last message, sendmail and OpenSSH are audited parts of
> OpenBSD. Also, I think that ipf is better than ipchains for firewalling.
But somehow sendmail and openssh in openbsd have had security problems,
like I said before source code audits are hardly unique to openbsd, and
often major security problems sneak through.
> OpenBSD has been source code audited since the summer of 1996, patching
> basic software bugs and security flaws as a byproduct. Often, security
> exploits in Linux reported in BugTRAQ have been fixed months earlier in
I'd be interested in an example, most of the Bugtraq security problems
I've seen are fixed in redhat within 24 hours.
> > Openbsd has something like 25 security problems with 2.7:
> > http://www.openbsd.com/errata27.html
> RedHat 7.0 has 42:
Right, but redhat7.0 includes a huge number of packages, much more
> OpenBSD 2.8 has 12, and they're all fixed if you follow the patch branch:
> Granted, you could use RedHat update agent, but it crashes on me and I don't
> like paying monthly subscription fees.
Redhat updates are free for the ftp'ing. I never trusted an automated agent
to dither my files. I trust redhat, but not that much.
> The workflow on OpenBSD is much easier: install, install patches, configure
> functionality. You don't have to turn off networking services because
> they're not on by default.
Redhat asks. Workstation has few things configured, Server has more, of
course various versions of redhat would allow you to edit the runlevel
setup to start/stop anything you want anytime you want (before the install)
> SSH is already configured.
Same with redhat.
> You get an email of
> your file permissions and the changes that were made to secure the system --
Redhat had tripwire for tracking permission changes.
> really, have you installed OpenBSD to compare it with a Linux installation?
Nope, I'm all ears though, this is one of the reasons I'm participating
in the discussion.
> This is already setup in OpenBSD. When a file changes, root gets an e-mail
> about it. Under Linux, I had to install logcheck to get similiar
Well these kind of things are really an ugly hack that's not hard to
get around, but tripwire is setup for similar. I think there is a single
command to do this. But the only really secure way to do this is to
maintain the database on a secure machine, but then it becomes very
hard to prove that the program thats reporting these changes haven't
> Cryptography is integrated throughout OpenBSD. Under Linux, I had to install
[root@hyper bill]# rpm -qa | grep trip
> Anyways, to each their own.
Sorry, I'm not trying to rag on openbsd, just that most of the security
differences I see are part of a different philosophy, not any huge
difference in security. Source code audits are not unique, and redhat
does them as well. Most of the worst security exploits (remote root
exploits on popular network services) I've seen effect openbsd as well.
It's not the "core" of a distribution that often causes problems but the
standard applications/services that have historically been the problem.
Named, sendmail, ftpd, fingerd, ntpd, and friends.
I find openbsd appealing in it's simplicity, a smaller core to build on,
bsd has always been strong on networking, tcpip stack, etc.
To avoid the buffer overflow of the week kind of exploits it seems that
a different language would be required. Something that would make buffer
overflows impossible. Not that similar could not be grafted onto C, but
for now the only language I'm familiar with that achieves similar is Java.
Hrm, I haven't actually tried, is it impossible to overflow a perl buffer?
In any case from the sounds of it openbsd is a fine, reliable, secure
distribition. But for a given functionality you can do very similar by
just enabling (via point and click) the same services that openbsd is
running and as far as I can tell have no more or less security then