
Xorg can now run without privilege on OpenBSD - protomyth
http://undeadly.org/cgi?action=article&sid=20140223112426
======
darklajid
I want to like OpenBSD. I'm so happy about openssh and like the whole mindset,
philosophy. Or so I thought.

Recently (like, weeks ago) I investigated the big three BSDs for a small mail
server project. OpenBSD was the first thing I looked at, I was especially
interested in opensmtpd. Looking for documentation I stumbled upon [1] (note:
Same aggregator, same domain. I consider that 'The canonical source for
OpenBSD').

So that article praises the features of opensmtpd and then shows how to
implement a filter. With this:

/* block idiots */ if (! strcmp(p->domain, "0pointer.net")) {
filter_api_reject(id, 530, "You're not welcome, go away !"); return; }

At that point I shook my head in disbelief, labeled the author as person I
don't want to read from again and moved on to NetBSD (and FreeBSD, still not
sure with which one I'll go). OpenBSD's obviously for more elite persons and
ad hominem attacks in random samples are .. I don't know. Funny? Cool with the
users/the project? The Right Way™?

That project has lots of attitude problems.

1:
[http://undeadly.org/cgi?action=article&sid=20130130081741](http://undeadly.org/cgi?action=article&sid=20130130081741)

~~~
Spittie
I've recently came across this: [http://bsd-
geek.de/FreeBSD/NO_POETTERING.patch](http://bsd-
geek.de/FreeBSD/NO_POETTERING.patch)

I don't know (and doubt) if it got merged into FreeBSD, but it shows that lots
of people just hate him.

~~~
Pacabel
I don't really see any hatred there.

Software he has been significantly involved with has caused problems for a lot
of people in the past. The recent strife and disagreement surrounding systemd
surely hasn't helped the situation.

If somebody has had bad experiences with multiple software systems developed
by a particular developer/project/organization, it's totally understandable
why they'd want to avoid that developer's/project's/organization's software in
the future. Nor is it unreasonable to want to protect oneself in such a
manner. Furthermore, this can be the case without holding any sort of hateful
emotions toward the developer/project/organization in question.

Do you have a better name for such a flag that may not involve his name
directly? It does seem like a very descriptive name for what it does, even if
some people may incorrectly interpret it as being "hateful" or something like
that.

------
hiphopyo
Choose OpenBSD for your Unix needs. OpenBSD -- the world's simplest and most
secure Unix-like OS. Creator of the world's most used SSH implementation
OpenSSH, the world's most elegant firewall PF, and the world's most elegant
mail server OpenSMTPD. OpenBSD -- the cleanest kernel, the cleanest userland
and the cleanest configuration syntax.

~~~
jrockway
<strike>No</strike> Only <strike>1</strike> 2 remote root holes in the default
install.

~~~
sillysaurus3
Is this true?

~~~
guyzmo
Not necessarily.

Only two has been discovered, but how many there really is?

Actually, Theo is a mole working for the NSA and he's throughout the code that
_looks_ clean, he has hidden loads of backdoors and weak crypto…

And because the coders and security consultants reading OpenBSD's source code
spend so much time laughing at the jokes in the comments, that they just don't
notice the hidden evil!

But Ssh! don't tell anyone the door is opened! :-D

~~~
Canada
It's funny you joke about that...

The alleged FBI backdoor in OpenBSD's IPSec implementation:

[http://marc.info/?l=openbsd-
tech&m=129236621626462&w=2](http://marc.info/?l=openbsd-
tech&m=129236621626462&w=2)

~~~
reirob
It is from December 2010. In regards of the Snowden revelations have any of
the backdoors been found since?

------
guyzmo
In 2006 one of my teachers, Mr Etiemble, told us about a paper he's
participated in to illustrate that no matter how good the security models can
be at each level of abstraction, it only needs one piece of code that uses a
vertical design to make the overall layers of security models worthless…

[http://scholar.google.fr/citations?view_op=view_citation&hl=...](http://scholar.google.fr/citations?view_op=view_citation&hl=en&user=8zjlIJoAAAAJ&citation_for_view=8zjlIJoAAAAJ:UeHWp8X0CEIC)

N.B.: That article is really worth a read!

And then, as one could have expected at the time, TdR had a really strong
reaction on the matter (can't find the e-mail for reference), saying that
OpenBSD is anyway secure, except if you want to have "modern accelerated
graphics" (or something less subjective, that's iirc)…

…and here we are eight years later, to finally have the OpenBSD guys show off
they've done it. I don't know if that should bug me they needed 8 years to
patch that bug that was not really one (as per Theo) or if I should be amazed
by the work done to secure that incredible mess that is Xorg :-)

cheers and gg, guys!

------
stass
Great accomplishment! Congratulations to OpenBSD folks!

------
ars
Do they block access to advanced features of the video card?

Can't a video card DRM read any memory on the system?

~~~
mikeash
I think you mean DMA, not DRM.

~~~
rlpb
By DRM he probably meant:
[http://en.wikipedia.org/wiki/Direct_Rendering_Manager](http://en.wikipedia.org/wiki/Direct_Rendering_Manager)

~~~
simias
In the context "DRM" doesn't make a lot of sense, I do thing the OP means
"DMA" here. DRM is an API, it doesn't "read" anything. DMA, however, does.

~~~
mikeash
Either way, I learned about a new thing!

------
openbsddesktop
Don't forget to donate:

[http://www.openbsdfoundation.org/campaign2014.html](http://www.openbsdfoundation.org/campaign2014.html)

Thanks! :)

------
dbolgheroni
[http://marc.info/?l=openbsd-
misc&m=139321387226212&w=2](http://marc.info/?l=openbsd-
misc&m=139321387226212&w=2)

------
sandGorgon
FYI - the systemd project got a similar thing working on Linux a couple of
weeks back. I think Wayland/Weston already leverages systemd to run without
privileges.

Part of the whole discussion on why systemd was much more forward looking than
anything else on Linux.

[1]
[https://plus.google.com/+DavidHerrmann/posts/ggK1tStCvJH](https://plus.google.com/+DavidHerrmann/posts/ggK1tStCvJH)

