LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices


Reply
  Search this Thread
Old 01-06-2023, 08:59 PM   #1
DracoSentien
LQ Newbie
 
Registered: May 2019
Location: Bronx New York
Distribution: Debian
Posts: 27

Rep: Reputation: Disabled
OpenBSD on Thinkpad


So, I have a netbook with debian testing (bookworm) on it. I use it for applications I don't want to run on OpenBSD e.g. the clusterfuck Calibre w/ plugins to strip DRM off ebooks etc... but I could do that with Windows albeit with it spying on me.

However, my OpenBSD laptop is my daily driver :

Quote:
Lok Technologies , a San Jose, Calif.-based maker of networking gear, started out using Linux in its equipment but switched to OpenBSD four years ago after company founder Simon Lok, who holds a doctorate in computer science, took a close look at the Linux source code.

"You know what I found? Right in the kernel, in the heart of the operating system, I found a developer's comment that said, 'Does this belong here?' "Lok says. "What kind of confidence does that inspire? Right then I knew it was time to switch."
https://www.forbes.com/2005/06/16/li...h=1b3bf375171d

That was in 2005 but fast forward to today you have big corporations, such as google, shaming Linux kernel developers and pushing them to use RUST.

so on and so so forth I could wax poetic about other features e.g. *cough* systemd *cough*

Linux would run about 5% faster or so on this laptop but I don't care how fast something is if it comes at the cost of security or stability it is stupid.

The End
 
Old 01-07-2023, 07:39 PM   #2
lucmove
Senior Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Debian
Posts: 1,320

Rep: Reputation: 100Reputation: 100
Well...

https://isopenbsdsecu.re/about/

.
 
Old 01-08-2023, 09:06 AM   #3
DracoSentien
LQ Newbie
 
Registered: May 2019
Location: Bronx New York
Distribution: Debian
Posts: 27

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by lucmove View Post
That is retarded Linux is obviously a FrankenOS mixing the non-unix systemd with an otherwise unix-like system. THE UNIX philosophy is not perfect but a FrankenOS is mentally retarded at best.

Quote:
Google: Linux kernel and its toolchains are underinvested by at least 100 engineers
Security not good enough, claims Chocolate Factory engineer.
https://www.theregister.com/2021/08/...rnel_security/

Quote:
'We're finding bugs way faster than we can fix them': Google sponsors 2 full-time devs.
https://www.theregister.com/2021/02/...curity_effort/

Quote:
OpenSSL 3.0.5 awaits release to fix potential worse-than-Heartbleed flaw.
Though severity up for debate, and limited chips affected, broken tests hold back previous patch from distribution
https://www.theregister.com/2022/06/...orruption_bug/

Quote:
LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014, with goals of modernizing the codebase, improving security, and applying best practice development processes.

Primary development occurs inside the OpenBSD source tree with the usual care the project is known for.
https://www.libressl.org/

Quote:
WikiLeaks has today published the 15th batch of its ongoing Vault 7 leak, this time detailing two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors. Secure Shell or SSH is a cryptographic network protocol used for remote login to machines and servers securely over an unsecured network. Dubbed BothanSpy -- implant for Microsoft Windows Xshell client, and Gyrfalcon -- targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu. Both implants steal user credentials for all active SSH sessions and then sends them to a CIA-controlled server.
https://linux.slashdot.org/story/17/...dows-linux-pcs

Quote:
The FBI and NSA have published today a joint security alert containing details about a new strain of Linux malware that the two agencies say was developed and deployed in real-world attacks by Russia's military hackers. From a report:
The two agencies say Russian hackers used the malware, named Drovorub, was to plant backdoors inside hacked networks. Based on evidence the two agencies have collected, FBI and NSA officials claim the malware is the work of APT28 (Fancy Bear, Sednit), a codename given to the hackers operating out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main SpecialService Center (GTsSS). Through their joint alert, the two agencies hope to raise awareness in the US private and public sectors so IT administrators can quickly deploy detection rules and prevention measures.
https://slashdot.org/index2.pl?fhfilter=NSA+linux

Quote:
ZDNet is warning that Linux users need to watch out for "a new peer-to-peer (P2P) botnet that spreads between networks using stolen SSH keys and runs its crypto-mining malware in a device's memory."
The Panchan P2P botnet was discovered by researchers at Akamai in March and the company is now warning it could be taking advantage of collaboration between academic institutions to spread by causing previously stolen SSH authentication keys to be shared across networks.

But rather than stealing intellectual property from these educational institutions, the Panchan botnet is using their Linux servers to mine cryptocurrency, according to Akamai... "Instead of just using brute force or dictionary attacks on randomized IP addresses like most botnets do, the malware also reads the id_rsa and known_hosts files to harvest existing credentials and use them to move laterally across the network...." Akamai found 209 peers, but only 40 of them are currently active and they were mostly located in Asia.

And why is the education sector more impacted by Panchan? Akamai guesses this could be because of poor password hygiene, or that the malware moves across the network with stolen SSH keys.
https://slashdot.org/index2.pl?fhfilter=ssh+keys

Quote:
A ten years old Linux backdoor linked to National Security Agency of United States was detected freshly, and analysis confirmed that the backdoor was existing from the past 10 years.

Dubbed as Bvp47 and linked to Equation Group-an NSA funded threat actor was first detected by anti-virus firm Virus Total in 2013. However, for reasons, not much was discussed or revealed about the advanced backdoor linked to Linux at that time.
https://www.cybersecurity-insiders.c...-detected-now/

Quote:
"Debian package maintainers tend to very often modify the source code of the package they are maintaining so that it better fits into the distribution itself. However, most of the time, their changes are not sent back to upstream for validation, which might cause some tension between upstream developers and Debian packagers. Today, a critical security advisory has been released: a Debian packager modified the source code of OpenSSL back in 2006 so as to remove the seeding of OpenSSL random number generator, which in turns makes cryptographic key material generated on a Debian system guessable. The solution? Upgrade OpenSSL and re-generate all your SSH and SSL keys. This problem not only affects Debian, but also all its derivatives, such as Ubuntu."
https://it.slashdot.org/story/08/05/...keys-guessable


Quote:
Shellshock, also known as Bashdoor,[1] is a family of security bugs[2] in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access[3] to many Internet-facing services, such as web servers, that use Bash to process requests.
https://en.wikipedia.org/wiki/Shellshock_(software_bug)

etc... etc... ad nauseam.

Last edited by DracoSentien; 01-08-2023 at 09:09 AM.
 
Old 01-08-2023, 09:29 AM   #4
DracoSentien
LQ Newbie
 
Registered: May 2019
Location: Bronx New York
Distribution: Debian
Posts: 27

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by lucmove View Post
Quote:
I asked a psychiatric nurse practitioner about paranoia, and was told that “paranoiais the feeling that people are after you.” A medical dictionary would give you a slightly different definition, but this one is actually terribly useful for any system administrator. It’s not that everyone on the Internet is trying to attack you, but there’s always someone who wants to break into your system. Even if you think you have nothing of value, someone wants to own your computer. And you won’t realize the value of what you have until someone else has it. That’s just human nature. If you’re not paranoid on the Internet, you’re in trouble.

That’s where OpenBSD comes in.

...

OpenBSD is a member of the BSD family of operating systems. It is widely regarded as the most secure operating system available anywhere, under any licensing terms

...

In 2003 OpenBSD was somewhere on the edge of open source software, known mainly for an uncompromising, fanatical view of computing security and correctness. So uncompromising that other open source projects didn’t want to work with it. But a funny thing happened in the following decade: The uncompromising fanatics turned out to be right. More than once I’ve heard “That’s fixed in the latest Linux, and in OpenBSD 3.2.” OpenBSD code trickled into other BSDs, Linux, and even some commercial operating systems. Apple and BlackBerry products include the OpenBSD packet filter.Lots of BSDs support the OpenBSD wireless utilities. And everyone runs OpenSSH.

....
https://mwl.io/nonfiction/os#ao2e

Quote:
The OpenBSD project maintains portable versions of many subsystems as packages for other operating systems. Because of the project's preferred BSD license, many components are reused in proprietary and corporate-sponsored software projects. The firewall code in Apple's macOS is based on OpenBSD's PF firewall code,[6] Android's Bionic C standard library is based on OpenBSD code,[7] LLVM uses OpenBSD's regular expression library,[8] and Windows 10 uses OpenSSH (OpenBSD Secure Shell) with LibreSSL.[9]
https://en.wikipedia.org/wiki/OpenBSD

Quote:
OpenBSD Innovations

This is a list of software and ideas developed or maintained by the OpenBSD project, sorted in order of approximate introduction. Some of them are explained in detail in our research papers.
Concepts

ipsec(4): Started by John Ioannidis, Angelos D. Keromytis, Niels Provos, and Niklas Hallqvist, imported February 20, 1997. OpenBSD was the first free operating system to provide an IPSec stack.
inet6(4): First complete integration and adoption of IPv6 led by "Itojun" (Dr. Junichiro Hagino) [WIDE/KAME], Craig Metz [NRL], and Angelos D. Keromytis starting Jan 6, 1999. Almost fully operational Jun 6, 1999 during the first OpenBSD hackathon. OpenBSD 2.7.
Privilege separation: First implemented by Niels Provos and Markus Friedl in OpenSSH in March 2002, released with OpenBSD 3.2. The concept is now used in many OpenBSD programs, for example bgpd(8), dhclient(8), dhcpd(8), dvmrpd(8), eigrpd(8), file(1), httpd(8), iked(8), ldapd(8), ldpd(8), mountd(8), npppd(8), ntpd(8), ospfd(8), ospf6d(8), pflogd(8), radiusd(8), relayd(8), ripd(8), script(1), smtpd(8), syslogd(8), tcpdump(8), tmux(1), xconsole(1), xdm(1), Xserver(1), ypldap(8), pkg_add(1), etc.
Privilege revocation: Related to the work on privilege separation, some programs were refactored to drop privileges while holding onto a tricky resource such as a raw socket, reserved port, or modification-locked bpf(4) descriptor, for example ping(8), traceroute(8), etc.
Stack protector: Developed since 2001 as "propolice" by Hiroaki Etoh. Integrated, and implemented for additional hardware platforms, by Miod Vallat and Theo de Raadt. OpenBSD 3.3 was the first operating system to enable it systemwide by default.
W^X: First used for sparc, sparc64, alpha, and hppa in OpenBSD 3.3. Strictly enforced by default since OpenBSD 6.0: a program can only violate it if the executable is marked with PT_OPENBSD_WXNEEDED and it is located on a filesystem mounted with the wxallowed mount(8) option.
GOT and PLT protection by ld.so: first done as part of the W^X work in OpenBSD 3.3, by Dale Rahn and Theo de Raadt. The GOT and PLT regions are read-only outside of ld.so itself. Extended to the .init/.fini sections (constructors and destructors) in OpenBSD 3.4.
ASLR: OpenBSD 3.4 was the first widely used operating system to provide it by default.
gcc-local(1) __attribute__((__bounded__)) static analysis annotation and checking mechanism: Started by Anil Madhavapeddy on June 26, 2003 and ported to GCC 4 by Nicholas Marriott. First released with OpenBSD 3.4.
malloc(3) randomization implemented by Thierry Deval. Guard pages and randomized (delayed) free added by Ted Unangst. Reimplemented by Otto Moerbeek for OpenBSD 4.4.
Position-independent executables (PIE): OpenBSD 5.3 was the first widely used operating system to enable it globally by default, on seven hardware platforms. Implemented in November 2008 by Kurt Miller and enabled by default by Pascal Stumpf in August 2012.
Random-data memory: the ability to specify that a variable should be initialized at load time with random byte values (placed into a new ELF .openbsd.randomdata section) was implemented in OpenBSD 5.3 by Matthew Dempsky.
Stack protector per shared object: using the random-data memory feature, each shared object was given its own stack protector cookie in OpenBSD 5.3 by Matthew Dempsky.
Static-PIE: Position-independent static binaries for /bin, /sbin and ramdisks. Implemented for OpenBSD 5.7 by Kurt Miller and Mark Kettenis.
SROP (sigreturn(2) oriented programming) mitigation: attacks researched by Eric Bosman and Herbert Bos in 2014, solution implemented by Theo de Raadt in May 2016, enabled by default since OpenBSD 6.0.
Library order randomization: In rc(8), re-link libc.so, libcrypto, and ld.so on startup, placing the objects in a random order. Theo de Raadt and Robert Peichaer, May 2016, enabled by default since OpenBSD 6.0 and 6.2.
Kernel-assisted lazy-binding for W^X safety in multi-threaded programs. A new syscall kbind(2) permits lazy-binding to be W^X safe in multi-threaded programs. Implemented for OpenBSD 5.9 by Philip Guenther in July 2015.
Process layouts in memory tightened to remove execute permission from all segmented, non-instruction data and to remove write permission from data that is only modified during loading and relocation. By combining the RELRO (Read-Only after Relocation) design from the GNU project with the original ASLR work from OpenBSD 3.3 and strict lazy-binding work from OpenBSD 5.9, this is applied to not just a subset of programs and libraries but rather to all programs and libraries. Implemented for OpenBSD 6.1 by Philip Guenther in August 2016.
Use of fork+exec in privilege separated programs. The strategy is to give each process a fresh & unique address space for ASLR, stack protector -- as protection against address space discovery attacks. Implemented first by Damien Miller (sshd(8) 2004), Claudio Jeker (bgpd(8), 2015), Eric Faurot (smtpd(8), 2016), Rafael Zalamena (various, 2016), and others.
trapsleds: Reduction of incidental NOP instructions/sequences in the instruction stream which could be useful potentially for ROP attack methods to innaccurately target gadgets. These NOP sequences are converted into trap sequences where possible. Todd Mortimer and Theo de Raadt, June 2017.
Kernel relinking at boot: the .o files of the kernel are relinked in random order from a link-kit, before every reboot. This provides substantial interior randomization in the kernel's text and data segments for layout and relative branches/calls. Basically a unique address space for each kernel boot, similar to the userland fork+exec model described above but for the kernel. Theo de Raadt, June 2017.
Rearranged i386/amd64 register allocator order in clang(1) to reduce polymorphic RET instructions: Todd Mortimer, November 20, 2017.
Reencoding of i386/amd64 instruction sequences to avoid embedded polymorphic RET instructions. Enhancements to clang(1) Todd Mortimer, April 28, 2018 and onwards.
MAP_STACK addition to mmap(2) allows opportunistic verification that the stack-register points at stack memory, therefore catching pivots to non-stack memory (sometimes used in ROP attacks). Theo de Raadt, April 12, 2018.
RETGUARD is a replacement for the stack-protector which uses a per-function random cookie (located in the read-only ELF .openbsd.randomdata section) to consistency-check the return address on the stack. Implemented for amd64 and arm64 by Todd Mortimer in OpenBSD 6.4, for mips64 in OpenBSD 6.7, and powerpc/powerpc64 in OpenBSD 6.9.
MAP_CONCEAL addition to mmap(2) disallows memory pages to be written to core dumps, preventing accidental exposure of private information. Theo de Raadt, Mark Kettenis and Scott Soule Cheloha, February 2, 2019.
Similar to the opportunistic verification in MAP_STACK, system-calls can no longer be performed from PROT_WRITE memory. Theo de Raadt, June 2, 2019.
System calls may only be performed from selected code regions (main program, ld.so, libc.so, and sigtramp). Theo de Raadt, November 28, 2019.
Permissions (RWX, MAP_STACK, etc) on address space regions can be made immutable, so that mmap(2), mprotect(2) or munmap(2) fail with EPERM. Most of the program static address space is now automatically immutable (main program, ld.so, main stack, load-time shared libraries, and dlopen()'d libraries mapped without RTLD_NODELETE). Programmers can request non-immutable static data using the "openbsd.mutable" section, or manually bring immutability to (page aligned heap objects) using mimmutable(2).

Functions

issetugid(2): Theo de Raadt, August 25, 1996, OpenBSD 2.0
arc4random(3): David Mazieres, December 28, 1996, OpenBSD 2.1
bcrypt(3): Implemented by Niels Provos and David Mazieres Imported February 13, 1997 and first released with OpenBSD 2.1.
strlcpy(3), strlcat(3): Todd Miller and Theo de Raadt, July 1, 1998, OpenBSD 2.4
strtonum(3): Ted Unangst, Todd Miller, and Theo de Raadt, May 3, 2004, OpenBSD 3.6
imsg: Message passing API, written by Henning Brauer. In libutil since May 26, 2010, OpenBSD 4.8; used by various daemons before that.
timingsafe_bcmp(3): Damien Miller, July 13, 2010, OpenBSD 4.9
explicit_bzero(3): Ted Unangst and Matthew Dempsky, January 22, 2014, OpenBSD 5.5
ohash: Written and maintained by Marc Espie. In libutil since May 12, 2014, OpenBSD 5.6; used by make(1) and m4(1) before that.
asr: Replacement resolver written and maintained by Eric Faurot. Imported April 14, 2012; activated on March 26, 2014, OpenBSD 5.6.
reallocarray(3): Theo de Raadt and Ted Unangst, April 22, 2014, OpenBSD 5.6
getentropy(2): Matthew Dempsky and Theo de Raadt, June 13, 2014, OpenBSD 5.6
sendsyslog(2): Theo de Raadt, July 10, 2014, OpenBSD 5.6
timingsafe_memcmp(3): Matthew Dempsky, July 13, 2014, OpenBSD 5.6
pledge(2): Theo de Raadt, July 19, 2015, OpenBSD 5.9
getpwnam_shadow(3), getpwuid_shadow(3): Ted Unangst and Theo de Raadt, November 18, 2015, OpenBSD 5.9
recallocarray(3): Otto Moerbeek, Joel Sing and Theo de Raadt, March 6, 2017, OpenBSD 6.1
freezero(3): Otto Moerbeek, April 10, 2017, OpenBSD 6.2
unveil(2): Theo de Raadt and Bob Beck, July 13, 2018, OpenBSD 6.4
malloc_conceal(3) and calloc_conceal(3): Otto Moerbeek, May 10, 2019, OpenBSD 6.5
ober: ASN.1 basic encoding rules API, written by Claudio Jeker and Reyk Flöter, maintained by Rob Pierce and Martijn van Duren; started in 2006/07, moved to libutil on May 11, 2019, OpenBSD 6.6

Programs and subsystems

ypbind(8), ypset(8), ypcat(1), ypmatch(1), ypwhich(1), and libc support: Started by Theo de Raadt. Imported April 26, 1993 and first released with NetBSD 0.9.
ypserv(8): Started by Mats O. Jansson in 1994. Imported October 23, 1995 and first released with OpenBSD 2.0.
mopd(8): Started by Mats O. Jansson in 1993. Imported September 21, 1996 and first released with OpenBSD 2.0.
AnonCVS: Designed and implemented by Chuck Cranor and Theo de Raadt in 1995 (paper, slides)
aucat(1): Started by Kenneth Stailey. Imported January 2, 1997 and first released with OpenBSD 2.1. Now maintained by Alexandre Ratchov.
OpenSSH including ssh(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), sshd(8), sftp-server(8): Started by Aaron Campbell, Bob Beck, Dug Song, Markus Friedl, Niels Provos, and Theo de Raadt as a fork of SSH 1.2.12 by Tatu Ylonen. Imported September 26, 1999 and first released with OpenBSD 2.6. Now maintained by Markus Friedl, Damien Miller, Darren Tucker, and Theo de Raadt.
mg(1): Started by Dave Conroy in November 1986. Imported February 25, 2000 and first released with OpenBSD 2.7. Now maintained by Mark Lumsden.
m4(1): Originally implemented by Ozan Yigit and Richard A. O'Keefe for 4.3BSD-Reno. Considerably extended and maintained by Marc Espie since 1999.
pf(4), pfctl(8), pflogd(8), authpf(8), ftp-proxy(8): Started by Daniel Hartmeier as a replacement for the non-free ipf by Darren Reed. Imported June 24, 2001 and first released with OpenBSD 3.0. Now maintained by Henning Brauer.
systrace(4), systrace(1): Started by Niels Provos. Imported June 4, 2002 and first released with OpenBSD 3.2. Deleted after OpenBSD 5.9 because pledge(2) is even better.
spamd(8): Written by Bob Beck. Imported December 21, 2002 and first released with OpenBSD 3.3.
dc(1): Written and maintained by Otto Moerbeek. Imported September 19, 2003 and first released with OpenBSD 3.5.
bc(1): Written and maintained by Otto Moerbeek. Imported September 25, 2003 and first released with OpenBSD 3.5.
sensorsd(8): Started by Henning Brauer. Imported September 24, 2003 and first released with OpenBSD 3.5. Reworked by Constantine A. Murenin.
pkg_add(1): Written and maintained by Marc Espie. Imported October 16, 2003 and first released with OpenBSD 3.5.
carp(4): Written by Mickey Shalayeff, Markus Friedl, Marco Pfatschbacher, and Ryan McBride. Imported October 17, 2003 and first released with OpenBSD 3.5.
OpenBGPD including bgpd(8) and bgpctl(8): Written and maintained by Henning Brauer and Claudio Jeker, and also maintained by Peter Hessler. Imported December 17, 2003 and first released with OpenBSD 3.5.
dhclient(8): Started by Ted Lemon and Elliot Poger in 1996. Imported January 18, 2004 and first released with OpenBSD 3.5. Reworked by Henning Brauer. Now maintained by Kenneth Westerback.
dhcpd(8): Started by Ted Lemon in 1995. Imported April 13, 2004 and first released with OpenBSD 3.6. Reworked by Henning Brauer. Now maintained by Kenneth Westerback.
hotplugd(8): Started by Alexander Yurchenko. Imported May 30, 2004 and first released with OpenBSD 3.6.
OpenNTPD including ntpd(8) and ntpctl(8): Written and maintained by Henning Brauer. Imported May 31, 2004 and first released with OpenBSD 3.6. Portable version maintained by Brent Cook.
dpb(1): Started by Nikolay Sturm on August 10, 2004; first available for OpenBSD 3.6. Rewritten and maintained by Marc Espie since August 20, 2010.
ospfd(8), ospfctl(8): Started by Esben Norby and Claudio Jeker. Imported January 28, 2005 and first released with OpenBSD 3.7.
ifstated(8): Started by Marco Pfatschbacher and Ryan McBride. Imported January 23, 2004 and first released with OpenBSD 3.8.
bioctl(8): Started by Marco Peereboom. Imported March 29, 2005 and first released with OpenBSD 3.8.
hostapd(8): Written by Reyk Flöter. Imported May 26, 2005 and first released with OpenBSD 3.8.
watchdogd(8): Started by Marc Balmer. Imported August 8, 2005 and first released with OpenBSD 3.8.
sdiff(1): Written by Ray Lai. Imported December 27, 2005 and first released with OpenBSD 3.9.
dvmrpd(8), dvmrpctl(8): Started by Esben Norby. Imported June 1, 2006 and first released with OpenBSD 4.0.
ripd(8), ripctl(8): Started by Michele Marchetto. Imported October 18, 2006 and first released with OpenBSD 4.1.
pkg-config(1): Started by Chris Kuethe and Marc Espie. Imported November 27, 2006 and first released with OpenBSD 4.1. Now maintained by Jasper Lievisse Adriaanse.
relayd(8) with relayctl(8): Started by Pierre-Yves Ritschard and Reyk Flöter. Imported December 16, 2006 and first released with OpenBSD 4.1. Now maintained by Sebastian Benoit.
cwm(1): Started by Marius Aamodt Eriksen in 2004. Imported April 27, 2007 and first released with OpenBSD 4.2. Now maintained by Okan Demirmen. Portable version maintained by Leah Neukirchen.
ospf6d(8), ospf6ctl(8): Started by Esben Norby and Claudio Jeker. Imported October 8, 2007 and first released with OpenBSD 4.2.
libtool(1): Written by Steven Mestdagh and Marc Espie. Imported October 28, 2007 and first available for OpenBSD 4.3. Now maintained by Marc Espie, Jasper Lievisse Adriaanse, and Antoine Jacoutot.
snmpd(8): Started by Reyk Flöter. Imported December 5, 2007 and first released with OpenBSD 4.3. Now maintained by Martijn van Duren.
sysmerge(8): Written and maintained by Antoine Jacoutot, originally forked from mergemaster by Douglas Barton. Imported April 22, 2008, first released with OpenBSD 4.4.
ypldap(8): Started by Pierre-Yves Ritschard. Imported June 26, 2008 and first released with OpenBSD 4.4.
OpenSMTPD including smtpd(8), smtpctl(8), makemap(8): Started by Gilles Chehade. Imported November 1, 2008 and first released with OpenBSD 4.6. Now maintained by Gilles Chehade and Eric Faurot.
tmux, tmux(1): Started in 2007 and maintained by Nicholas Marriott. Imported June 1, 2009, first released with OpenBSD 4.6.
ldpd(8), ldpctl(8): Started by Michele Marchetto. Imported June 1, 2009 and first released with OpenBSD 4.6. Now maintained by Claudio Jeker.
mandoc including mandoc(1), man(1), apropos(1), makewhatis(8), man.cgi(8): Started by Kristaps Dzonsons in November 2008. Imported April 6, 2009, first released with OpenBSD 4.8. Now maintained by Ingo Schwarze.
ldapd(8), ldapctl(8): Written by Martin Hedenfalk. Imported May 31, 2010 and first released with OpenBSD 4.8.
OpenIKED including iked(8) and ikectl(8): Started by Reyk Flöter. Imported June 3, 2010 and first released with OpenBSD 4.8. Now maintained by Tobias Heider.
iscsid(8), iscsictl(8): Written and maintained by Claudio Jeker. Imported September 24, 2010 and first released with OpenBSD 4.9.
rc.d(8), rc.subr(8): Written and maintained by Robert Nagy and Antoine Jacoutot. Imported October 26, 2010 and first released with OpenBSD 4.9.
tftpd(8): Written and maintained by David Gwynne. Imported March 2, 2012 and first released with OpenBSD 5.2.
npppd(8), npppctl(8): Started by Internet Initiative Japan Inc. Imported January 11, 2010, first released with OpenBSD 5.3. Maintained by YASUOKA Masahiko.
ldomd(8), ldomctl(8): Written and maintained by Mark Kettenis. Imported October 26, 2012 and first released with OpenBSD 5.3.
sndiod(8): Written and maintained by Alexandre Ratchov. Imported November 23, 2012 and first released with OpenBSD 5.3.
cu(1): Written and maintained by Nicholas Marriott. Imported July 10, 2012 and first released with OpenBSD 5.4.
identd(8): Written and maintained by David Gwynne. Imported March 18, 2013 and first released with OpenBSD 5.4.
slowcgi(8): Written and maintained by Florian Obser. Imported May 23, 2013 and first released with OpenBSD 5.4.
signify(1): Written and maintained by Ted Unangst. Imported December 31, 2013 and first released with OpenBSD 5.5.
htpasswd(1): Written and maintained by Florian Obser. Imported March 17, 2014 and first released with OpenBSD 5.6.
LibreSSL: Started by Ted Unangst, Bob Beck, Joel Sing, Miod Vallat, Philip Guenther, and Theo de Raadt on April 13, 2014, as a fork of OpenSSL 1.0.1g. First released with OpenBSD 5.6. Portable version maintained by Brent Cook.
httpd(8): Started by Reyk Flöter. Imported July 12, 2014 and first released with OpenBSD 5.6.
rcctl(8): Written and maintained by Antoine Jacoutot. Imported August 19, 2014 and first released with OpenBSD 5.7.
file(1): Rewritten from scratch and maintained by Nicholas Marriott. Imported April 24, 2015 and first released with OpenBSD 5.8.
doas(1): Written and maintained by Ted Unangst. Imported July 16, 2015 and first released with OpenBSD 5.8.
radiusd(8): Written and maintained by YASUOKA Masahiko. Imported July 21, 2015 and first released with OpenBSD 5.8.
eigrpd(8), eigrpctl(8): Written and maintained by Renato Westphal. Imported October 2, 2015 and first released with OpenBSD 5.9.
vmm(4), vmd(8), vmctl(8): Written by Mike Larkin and Reyk Flöter. Imported November 13, 2015 and first released with OpenBSD 5.9.
pdisk(8): Originally written by Eryk Vershen in 1996-1998, rewritten and maintained by Kenneth Westerback since January 11, 2016 and first released with OpenBSD 5.9.
mknod(8): Original version from Version 6 AT&T UNIX (1975), last rewritten by Marc Espie on March 5, 2016 and first released with OpenBSD 6.0.
audioctl(1): Originally written by Lennart Augustsson in 1997, rewritten and maintained by Alexandre Ratchov since June 21, 2016 and first released with OpenBSD 6.0.
acme-client(1): Written by Kristaps Dzonsons, imported August 31, 2016; released with OpenBSD 6.1.
syspatch(8): Written and maintained by Antoine Jacoutot. Imported September 5, 2016; released with OpenBSD 6.1.
ping(8): Restructured to include IPv6 functionality and maintained by Florian Obser. The separate ping6(8) was superseded on September 17, 2016, and the new, combined version was released with OpenBSD 6.1.
xenodm(1): Cleaned-up fork of xdm(1) maintained by Matthieu Herrb. Imported October 23, 2016; released with OpenBSD 6.1.
ocspcheck(8): Written and maintained by Bob Beck. Imported January 24, 2017; released with OpenBSD 6.1.
slaacd(8): Written and maintained by Florian Obser. Imported March 18, 2017; released with OpenBSD 6.2.
rad(8): Written and maintained by Florian Obser. Imported July 10, 2018; released with OpenBSD 6.4.
unwind(8): Written and maintained by Florian Obser. Imported January 23, 2019; released with OpenBSD 6.5.
openrsync(1): Written by Kristaps Dzonsons. Imported February 10, 2019; released with OpenBSD 6.5.
sysupgrade(8): Written by Christian Weisgerber, Florian Obser, and Theo de Raadt. Imported April 25, 2019; released with OpenBSD 6.6.
snmp(1): Written and maintained by Martijn van Duren. Imported August 9, 2019; released with OpenBSD 6.6.
rpki-client(8): Written by Kristaps Dzonsons, maintained by Claudio Jeker. Imported June 17, 2019; released with OpenBSD 6.7.
resolvd(8): Written and maintained by Florian Obser and Theo de Raadt. Imported February 24, 2021; released with OpenBSD 6.9.
dhcpleased(8): Written and maintained by Florian Obser. Imported February 26, 2021; released with OpenBSD 6.9.

Projects maintained by OpenBSD developers outside OpenBSD

sudo: Started by Bob Coggeshall and Cliff Spencer around 1980. Imported November 18, 1999, first released with OpenBSD 2.7. Now maintained by Todd Miller.
femail: Written and maintained by Henning Brauer. Started in 2005, port available since September 22, 2005.
midish: Written and maintained by Alexandre Ratchov. Started in 2003, port available since November 4, 2005.
fdm: Written and maintained by Nicholas Marriott. Started in 2006, port available since January 18, 2007.
toad: Written and maintained by Antoine Jacoutot. Started in 2013, port available since October 8, 2013.
docbook2mdoc: Started by Kristaps Dzonsons in 2014, maintained by Ingo Schwarze. Port available since April 3, 2014.
portroach: Written and maintained by Jasper Lievisse Adriaanse, originally forked from FreeBSD's portscout. Started in 2014, port available since September 5, 2014.
cvs2gitdump: Written and maintained by YASUOKA Masahiko. Started in 2012, port available since August 1, 2016.
Game of Trees: Written and maintained by Stefan Sperling. Started in 2017, port available since August 9, 2019.
https://www.openbsd.org/innovations.html

Quote:
NAME

unveil — unveil parts of a restricted filesystem view
SYNOPSIS

#include <unistd.h>

int
unveil(const char *path, const char *permissions);
DESCRIPTION

The first call to unveil() that specifies a path removes visibility of the entire filesystem from all other filesystem-related system calls (such as open(2), chmod(2) and rename(2)), except for the specified path and permissions.

The unveil() system call remains capable of traversing to any path in the filesystem, so additional calls can set permissions at other points in the filesystem hierarchy.

After establishing a collection of path and permissions rules, future calls to unveil() can be disabled by passing two NULL arguments. Alternatively, pledge(2) may be used to remove the "unveil" promise.

The permissions argument points to a string consisting of zero or more of the following characters:

r
Make path available for read operations, corresponding to the pledge(2) promise "rpath".
w
Make path available for write operations, corresponding to the pledge(2) promise "wpath".
x
Make path available for execute operations, corresponding to the pledge(2) promise "exec".
c
Allow path to be created and removed, corresponding to the pledge(2) promise "cpath".

A path that is a directory will enable all filesystem access underneath path using permissions if and only if no more specific matching unveil() exists at a lower level. Directories are remembered at the time of a call to unveil(). This means that a directory that is removed and recreated after a call to unveil() will appear to not exist.

Non-directory paths are remembered by name within their containing directory, and so may be created, removed, or re-created after a call to unveil() and still appear to exist.

Attempts to access paths not allowed by unveil() will result in an error of EACCES when the permissions argument does not match the attempted operation. ENOENT is returned for paths for which no unveil() permissions qualify. After a process has terminated, lastcomm(1) will mark it with the ‘U’ flag if file access was prevented by unveil().

unveil() use can be tricky because programs misbehave badly when their files unexpectedly disappear. In many cases it is easier to unveil the directories in which an application makes use of files.
https://man.openbsd.org/unveil

Last edited by DracoSentien; 01-08-2023 at 10:40 AM.
 
  


Reply

Tags
linux, openbsd, security, thinkpad


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD: nvidia drivers, screen resolution and FreeBSD binaries on OpenBSD ::: *BSD 2 08-21-2009 05:18 AM
LXer: Fsck errors in the Linux filesystem on my OpenBSD laptop NOT caused by OpenBSD LXer Syndicated Linux News 1 08-31-2008 04:15 AM
LXer: OpenBSD: The OpenBSD Foundation LXer Syndicated Linux News 0 07-26-2007 11:31 AM
OpenBSD - Where can i get OpenBSD 3.7 ISO CD -- Please help me b:z Linux - Software 5 04-08-2005 08:09 AM
OpenBSD - Where can i get OpenBSD 3.7 ISO CD -- Please help me b:z Linux - Software 1 04-07-2005 09:46 AM

LinuxQuestions.org > Forums > Other *NIX Forums > *BSD

All times are GMT -5. The time now is 11:03 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration