On Wed, Mar 14, 2001 at 02:07:47PM -0800, Patrick R. Wade wrote:
> On Wed, Mar 14, 2001 at 01:43:19PM -0800, Cory Petkovsek wrote:
> >
> >OpenBSD is touted as "secure" out of the box. But I believe that when it's
> >installed, it may very well become "unsecure", depending on the installer.
> >
> >However, OpenBSD says they haven't had a remote r00t exploit from the
> >default installation in 3 years and running. They also say they are the
> >only OS that can claim this.
> >
>
> There is also the problem of the ports; they explicitly exclude the ports
> from their security guarantee, despite the fact that problems in ported
> applications like sendmail or bind can bring r00+5311 exploits. They try
> to keep current on as much as they can, but they can't audit it all to the
> standards they apply to the kernel and toolset.
For starters, BIND, Apache, and sendmail are part of the main distro, NOT ports.
As such, they have been "corrected". OpenBSD ships with (a very modified
version of) BIND4, which is much more "secure" than BIND8. djbdns (whose author,
Dan Bernstien, offers a $500 reward for discovery of ANY security holes) is
also available as a port. BIND9 is also available as a port. These services
are not started by default after install either. Sendmail is started with
sendmail -q30m, and the apache and bind options in rc.conf are set to NO.
Ports don't go through a complete audit, but ports with poor use of
tmpnam() and such are rejected.
Installing ports that contain daemons won't be started by default once the
package is installed, and the daemon startup commands are not added to
the system startup scripts. That's QUITE different than Debian, which will
start a daemon before you have a chance to look at the config files. And if
you are just some average user who adds stuff without knowing how daemons
are started at boot time, it will run everytime you boot. OpenBSD is definitely
not designed for the novice. You have to know what you're doing to get things
to work. In that sense, OpenBSD is secure unless someone who knows something
about what they're doing makes a mistake, or intentionally makes the system
insecure. OpenBSD is secure by default - always and in all ways.
And anyway, why would you want to run daemons on a firewall?
>
> >[snip]
> >Lets say there was this REALLY BAD vulnerability in BIND, and your server
> >was terribly open because of it. Security advisories you receive say the
> >latest version is out and you should upgrade to it.
> >
> >Or, how about a worse scenario.
> >
> >Let's say there's a really bad vulnerability in a program that you have
> >installed, but don't know there is a security problem with it.
> >
> >With Debian, there is a debian auto-upgrade server: security.debian.org.
> >When one runs the:
> >apt-get update
> >apt-get upgrade
> >the security upgrade server is polled and all packages one has installed are
> >checked against what's available on the server. They are downloaded,
> >upgraded, reconfigured(if need be) and restarted (if daemons) all
> >automagically.
> >
>
> The same functionality can be implemented in *BSDland :
>
> 1. set up CVSup and run it regularly (maybe from cron) ;
> 2. run make world with ports included ;
> 3. reboot.
>
With OpenBSD, you can get security/stability patches direct to your mailbox.
And this goes back to the binary vs source argument. I had patched sudo
source about 5 hours after the recent buffer overflow discovery. I didn't
get a fixed .deb from security.debian.org until 3 days later. Also,
I had OpenSSH 2.5.1 BEFORE the problems with older ssh's were discovered.
The OpenBSD version of OpenSSH 2.3 was never vulnerable though anyway.
<[EMAIL PROTECTED]>
