
Security: OpenBSD vs. FreeBSD - atmosx
http://networkfilter.blogspot.com/2014/12/security-openbsd-vs-freebsd.html
======
riffraff
I think the point of MAC was understated: the important idea (AFAIU) is that
in traditional unix root is god, while with MAC the intent would be to make
the whole "got r00t" pointless because root is just another user with some
specific capabilities (e.g. create users, but not access the database).

Like, AWS' IAM for the single server.

I recall some ten years ago DAC vs MAC was a frequently debated topic,
nowadays seems nobody talks about it, not sure if because
trustedbsd/selinux/apparmor didn't deliver on the promises or anything else.

~~~
emidln
sebsd and selinux were and continue to be difficult to write policies for. I'm
not even aware of anyone other than Fedora/RedHat and then specific appliances
that even ship policies. If I understand correctly, even RedHat only ships
targeted policies (not a comprehensive system policy) that usually need
tweaked by the end admin for the situation at hand (which seems to lead to
people just turning off selinux in Fedora/Centos/RHEL).

~~~
erglkjahlkh
Shipping a targeted policy is simply a matter of practicality. Linux has
actual 3rd party applications, and forcing all the vendors to either ship with
policies or let the applications fail to run correctly would be a kiss of
death to the MAC system. That was actually tried in the early days of SELinux,
and it did not go well.

In fact that is why you even nowadays see "SELinux must be disabled" in
application manuals. The early SELinux iterations really broke all the
applications, and many people never took a second look at the technology. 9/10
of the application vendors that recommend disabling SELinux really don't do
anything that would hit a targeted policy - the SELinux is already practically
disabled for them. They just destroy the protection for the other software in
the system...

Most common tweaking tasks can be found from booleans, and extra tweaks are
easy to accomplish the help of audit2allow. However it baffles me to notice
that audit2allow is not part of the default installations. It is a life saver
that makes finding out why SELinux doesn't allow something really fast and
easy.

------
arca_vorago
Being a pretty security conscious fellow, I would just like to say that we
need more in depth and up to date comparisons like this. I would like it if
more distros were added in though.

For example, while DragonFly BSD does not tout security as a strong point yet,
I have been keeping an eye on them and am very impressed with some of the
things they are doing and how they go about it.
([http://www.dragonflybsd.org/docs/newhandbook/Security/](http://www.dragonflybsd.org/docs/newhandbook/Security/))

I also have gotten tired of pam/selinux on linux, but have been running Alpine
linux with grsec and am impressed at the default install level of security,
and would like to possible see alpine put up against openbsd.

Minix 3 is too immature at the moment but I think pretty soon they are going
to be at the level where they need to start thinking about security as well.

------
miduil
Previous discussion on another blogposting of the same author:
[https://news.ycombinator.com/item?id=8871705](https://news.ycombinator.com/item?id=8871705)
Though, OpenBSD rarely supports hardware, since this isn't their goal.

~~~
smhenderson
I had three different Lenovo laptops that I used to experiment with the
various BSDs. One fairly old (2009) and the other two were between 6 - 10
months old. On all three of them OpenBSD detected my hardware (wireless,
sound, lan, etc) better than Net or Free did.

Anecdotal I know and I don't have specific model information in front of me at
the moment but, at least in my case, I found OpenBSD to be the best choice for
these laptops simply because when I finished installing, everything Just
Worked.

Oh, and they sleep properly too...

~~~
gvozd
Another anecdote: I had the same experience with my new Gigabyte laptop.
OpenBSD 5.6 supported the hardware better than FreeBSD or Linux (Qubes-OS,
which is based on Fedora). I ended up running OpenBSD on my laptop and FreeBSD
on my servers: one leased physical box with lots of jails, and one hosted VM
for redundancy.

I'd like to run OpenBSD on my servers, but acquiring the dozen or so machines
I need for service separation is just not cost effective or resource
efficient.

~~~
smhenderson
I do know what you mean there. After getting pretty much everything else I
wanted working well I looked for a VM solution and was a little disappointed
in the dev's attitude toward VM tech in general. I understand it but don't
have to like it. :-)

I've used Linux for years and am only recently checking out BSD so I just kept
Debian around for most of my servers.

I do like the new, very simple, httpd in OpenBSD though, been playing with
that a lot lately.

~~~
protomyth
If you watch the the ruBSD 2013 interview video with Theo de Raadt[1] at the
6:36, he states that they should take a shot at dealing with modern x86 VMs.
That gives me quite a bit of hope along with the work on vmware related
drivers in each release.

1)
[https://www.youtube.com/watch?v=OXS8ljif9b8](https://www.youtube.com/watch?v=OXS8ljif9b8)

~~~
smhenderson
Thanks, I will check that out. Based on some comments he made in the past I
thought hell would freeze over before Theo went that route! I can't find the
original kernel trap post at the moment but it was pretty, um, Theo. But I
think it's at least 7-8 years old now so I guess times change.

~~~
_delirium
You're probably thinking of this post, I would guess?
[http://marc.info/?l=openbsd-
misc&m=119318909016582&w=2](http://marc.info/?l=openbsd-
misc&m=119318909016582&w=2)

The x86 landscape has changed a bit between that post and the recent video
linked upthread, though (e.g. addition of a bunch of hardware protection
instructions aimed at virtualization), which might have led him to reevaluate.

------
justincormack
"arc4random implementations in FreeBSD and NetBSD aren't quite state of the
art anymore" NetBSD's has been updated, now uses chacha20 and fixes the other
issues (duplicated random number state on fork for example).

~~~
dbolgheroni
OpenBSD uses ChaCha20 since 5.5, as can be seen in the man page:

[http://www.openbsd.org/cgi-
bin/man.cgi?query=arc4random&apro...](http://www.openbsd.org/cgi-
bin/man.cgi?query=arc4random&apropos=0&sec=0&arch=default&manpath=OpenBSD-
current)

------
dale-cooper
It would be interesting to see how it compares to linux with grsecurity

~~~
haneefmubarak
I didn't go and research grsecurity, but I did do some overall research to see
how Linux compares:

[https://news.ycombinator.com/item?id=8898152](https://news.ycombinator.com/item?id=8898152)

------
feld
I wish someone from the FreeBSD project with authority and expertise would
speak out instead of being silent when these discussions come up; a clearly
communicated security roadmap would be nice. I suspect there's no desire to
start internet flamewars or heated discussions about FreeBSD's security
situation as they're weary of the discussions.

OpenBSD pioneers a lot of security research and best practices but I think
many people get misled by all the hand waving and subsequently have more faith
in certain features and less knowledge. I'm a victim myself.

As an example, I recently brought up W^X and wanted to know what the status /
stance was and was met with a healthy dose of skepticism. As I was told, "W^X
is very useful for debugging but not for security as the kernel has a read-
write 1:1 map of all physical memory... you can still write to memory that
will later be executed, you just have to use a different address" (not a
direct quote) This was completely new information to me that nobody seems to
talk about.

Likewise when I asked about securelevel=1 -- I was met with "securelevel is
more likely to be removed entirely than enabled by default ... not convincing
because there's no coherent model ... easy to work around as an attacker
unless the system is very, very carefully configured, which means it's locked
down beyond usability for most configurations ... though it's useful for jails
since you can still do maintenance from the jailhost"

tl;dr I think the FreeBSD devs who can call the shots are more interested in
ASLR and pushing Capsicum hard.

~~~
mlarkin
Whoever told you about that direct map "issue" didn't do their homework, and
is talking out of their ass.

[http://cvsweb.openbsd.org/cgi-
bin/cvsweb/src/sys/arch/amd64/...](http://cvsweb.openbsd.org/cgi-
bin/cvsweb/src/sys/arch/amd64/amd64/locore.S?rev=1.61&content-
type=text/x-cvsweb-markup)

~~~
feld
Thanks for the link, I'll share it.

edit: would this prevent you from being able to support 1GB pages?

~~~
mlarkin
We don't use 1GB pages in the direct map today, and likely won't for some
time. They aren't supported on all amd64 CPUs so if we decided we were
interested in doing that, we'd need two types of direct map layouts, one to
support CPUs that had 1GB page support and one that didn't. That seems like an
awful lot of complexity for questionable gain.

edit: ... and if we did decide, in the future, to take advantage of 1GB page
support in the direct map, I'd probably just break out the kernel area
separately and continue to map it with 2MB pages.

~~~
feld
Thanks for the reply. There's currently no support for 1GB pages in FreeBSD
but someone provided a patch set that does it and has considerably improved
performance for their network appliance workload. It needs to be reworked a
bit before being merged, but I hope it will happen before 11-RELEASE.

~~~
ketralnis
> There's currently no support for 1GB pages in FreeBSD but someone provided a
> patch set that does it

Probably others, but some of the discussion:
[https://lists.freebsd.org/pipermail/freebsd-
hackers/2014-Nov...](https://lists.freebsd.org/pipermail/freebsd-
hackers/2014-November/046449.html)

------
armones
What about NetBSD? Is it not relevant anymore anywhere?

~~~
tw04
It's used by plenty of embedded vendors. It just isn't generally deployed as a
general purpose OS or server by most people. Not really the goal of the
project either - their goal is generally "run on any piece of hardware ever
created".

~~~
justincormack
It makes a perfectly decent server OS and people do use it as exactly that.
The portability goal is more about writing reasonable portable code, not
running on everything, indeed it runs on fewer devices than Linux, but it is
easy to port if you wish to.

------
MrBuddyCasino
Ha, interesting. I wonder what the rate of cross-pollination is - the BSDs
should, due to their license, easily be able to use code from the other BSD
variants, right? So how come that FreeBSDs pf is kinda outdated, and OpenBSD
hasn't adopted Jails, too? Is it due to different philosophies, NIH syndrome
or simply not enough manpower?

~~~
justincormack
Some code you can just drop in, other code needs more extensive changes
because the internals are different. It would be interesting to map the cross
pollination, there is a lot.

I believe jails is a philosophical issue, it is very hard to show that it
actually provides isolation.

~~~
tedunangst
> I believe jails is a philosophical issue, it is very hard to show that it
> actually provides isolation.

Indeed. In theory, the kernel runs at a security/isolation level above root,
but in practice root can often subvert it.

That said, OpenBSD also offers rdomains, which aren't quite jails but provide
a somewhat similar degree of network separation.

------
Zikes
I'm a web developer primarily, and I'm accustomed to Linux servers with the
likes of CentOS and Ubuntu. I've been seeing a lot of talk lately about how
secure *BSD is compared to Linux, and now Digital Ocean supports it. Is it
something I should start looking into? What's the learning curve like for
someone with moderate Linux experience? Where would I start?

~~~
darkarmani
If you are primarily a web developer who knows nothing about BSD, I don't
think you want to choose BSD for security reasons. The underlying OS might be
more hardened, but if you don't know the system and applications as well as
you know in linux, it's more likely you'll have a configuration error that
opens a gaping security hole.

~~~
ketralnis
For instance, the default mail system in FreeBSD is still sendmail
([https://www.freebsd.org/doc/handbook/sendmail.html](https://www.freebsd.org/doc/handbook/sendmail.html)).
It's pretty easy to accidentally configure it as an open relay, even if you
mostly know what you're doing. Until 10, BIND was the default DNS server
([https://www.freebsd.org/doc/handbook/network-
dns.html](https://www.freebsd.org/doc/handbook/network-dns.html)), which has
the same kinds of configuration problems.

------
tribaal
Interesting read! Thanks.

