Hacker News new | past | comments | ask | show | jobs | submit login
Security: OpenBSD vs. FreeBSD (networkfilter.blogspot.com)
155 points by atmosx on Jan 16, 2015 | hide | past | web | favorite | 54 comments

I think the point of MAC was understated: the important idea (AFAIU) is that in traditional unix root is god, while with MAC the intent would be to make the whole "got r00t" pointless because root is just another user with some specific capabilities (e.g. create users, but not access the database).

Like, AWS' IAM for the single server.

I recall some ten years ago DAC vs MAC was a frequently debated topic, nowadays seems nobody talks about it, not sure if because trustedbsd/selinux/apparmor didn't deliver on the promises or anything else.

sebsd and selinux were and continue to be difficult to write policies for. I'm not even aware of anyone other than Fedora/RedHat and then specific appliances that even ship policies. If I understand correctly, even RedHat only ships targeted policies (not a comprehensive system policy) that usually need tweaked by the end admin for the situation at hand (which seems to lead to people just turning off selinux in Fedora/Centos/RHEL).

Shipping a targeted policy is simply a matter of practicality. Linux has actual 3rd party applications, and forcing all the vendors to either ship with policies or let the applications fail to run correctly would be a kiss of death to the MAC system. That was actually tried in the early days of SELinux, and it did not go well.

In fact that is why you even nowadays see "SELinux must be disabled" in application manuals. The early SELinux iterations really broke all the applications, and many people never took a second look at the technology. 9/10 of the application vendors that recommend disabling SELinux really don't do anything that would hit a targeted policy - the SELinux is already practically disabled for them. They just destroy the protection for the other software in the system...

Most common tweaking tasks can be found from booleans, and extra tweaks are easy to accomplish the help of audit2allow. However it baffles me to notice that audit2allow is not part of the default installations. It is a life saver that makes finding out why SELinux doesn't allow something really fast and easy.

Interesting, root is not a superset, just a seed (NPI) for other user/permissions to exist, right ?

that is my understanding, yes (though I have no idea what "NPI" means, sorry).

Being a pretty security conscious fellow, I would just like to say that we need more in depth and up to date comparisons like this. I would like it if more distros were added in though.

For example, while DragonFly BSD does not tout security as a strong point yet, I have been keeping an eye on them and am very impressed with some of the things they are doing and how they go about it. (http://www.dragonflybsd.org/docs/newhandbook/Security/)

I also have gotten tired of pam/selinux on linux, but have been running Alpine linux with grsec and am impressed at the default install level of security, and would like to possible see alpine put up against openbsd.

Minix 3 is too immature at the moment but I think pretty soon they are going to be at the level where they need to start thinking about security as well.

Previous discussion on another blogposting of the same author: https://news.ycombinator.com/item?id=8871705 Though, OpenBSD rarely supports hardware, since this isn't their goal.

I had three different Lenovo laptops that I used to experiment with the various BSDs. One fairly old (2009) and the other two were between 6 - 10 months old. On all three of them OpenBSD detected my hardware (wireless, sound, lan, etc) better than Net or Free did.

Anecdotal I know and I don't have specific model information in front of me at the moment but, at least in my case, I found OpenBSD to be the best choice for these laptops simply because when I finished installing, everything Just Worked.

Oh, and they sleep properly too...

Another anecdote: I had the same experience with my new Gigabyte laptop. OpenBSD 5.6 supported the hardware better than FreeBSD or Linux (Qubes-OS, which is based on Fedora). I ended up running OpenBSD on my laptop and FreeBSD on my servers: one leased physical box with lots of jails, and one hosted VM for redundancy.

I'd like to run OpenBSD on my servers, but acquiring the dozen or so machines I need for service separation is just not cost effective or resource efficient.

I do know what you mean there. After getting pretty much everything else I wanted working well I looked for a VM solution and was a little disappointed in the dev's attitude toward VM tech in general. I understand it but don't have to like it. :-)

I've used Linux for years and am only recently checking out BSD so I just kept Debian around for most of my servers.

I do like the new, very simple, httpd in OpenBSD though, been playing with that a lot lately.

If you watch the the ruBSD 2013 interview video with Theo de Raadt[1] at the 6:36, he states that they should take a shot at dealing with modern x86 VMs. That gives me quite a bit of hope along with the work on vmware related drivers in each release.

1) https://www.youtube.com/watch?v=OXS8ljif9b8

Thanks, I will check that out. Based on some comments he made in the past I thought hell would freeze over before Theo went that route! I can't find the original kernel trap post at the moment but it was pretty, um, Theo. But I think it's at least 7-8 years old now so I guess times change.

You're probably thinking of this post, I would guess? http://marc.info/?l=openbsd-misc&m=119318909016582&w=2

The x86 landscape has changed a bit between that post and the recent video linked upthread, though (e.g. addition of a bunch of hardware protection instructions aimed at virtualization), which might have led him to reevaluate.

Which Gigabyte laptop?

It's a P25W with 16 GB RAM and 3T SSD (I dual boot with a Steam-only Windows install). I don't care about the nvidia card in OpenBSD-- the Intel card works fine with xfce. I haven't figured out how to make the internal speakers work, but I use headphones pretty much exclusively anyway. Linux has trouble with the trackpad, and both the internal wired and wireless NICs fail to work under FreeBSD.

OpenBSD works quite well as a daily use OS.

"rarely"? I use OpenBSD for a long time, mostly on laptops, and rarely found hardware which isn't supported.

Of course that there are some wi-fi devices that require blobs, and I'm glad OpenBSD do not support these. However, I learned that no support at all is better than half support of some crap drivers.

Well, since it should mostly be used as a firewall, having a little restriction of which hardware you can use isn't a big deal.

since it should mostly be used as a firewall

This is a misconception.

What other uses are you suggesting? The OS is optimized for firewall and security. Not for desktop or anything like that. It lacks both hardware and software in almost every respect for anything more.

Sure, I would be very happy to use it as my desktop. Even donated for them. But it needs more time to adopt more tools at the very least for broader adoption.

I've used both apache and their new httpd to serve up perl, php and html. I've had no issues with mysql. I like their nice, simple named service as well.

Really, anything I've used Linux for on servers I've been able to replicate on OpenBSD... I don't feel like everything is automatically more secure just because I'm using OpenBSD but it's simplicity with regards to package management and system configuration does help me understand just about everything running on the system which, IMHO, does lead to better security.

> The OS is optimized for firewall and security. Not for desktop or anything like that. It lacks both hardware and software in almost every respect for anything more.

I'm doing web development for the last 4 years and programming for almost 2. My desktop and laptop have only OpenBSD as an OS.

What do I miss?.. apart from some more recent games (which is the reason I have a console), nothing[0]. ;)

As for hardware problems? Well, if you want to run some new (for you) OS without doing some homework (will it run? what problems are unresolved for X hardware? what hardware do I already own? will it cause problems?) you're out of luck even with Linux in some cases.

Hell, even my x41 single core laptop can play 1080p video files.

[0]: http://openports.se/

[edit]: also, upgrade process => ~3-7mins (depending on hardware). Can't beat that. :)

"arc4random implementations in FreeBSD and NetBSD aren't quite state of the art anymore" NetBSD's has been updated, now uses chacha20 and fixes the other issues (duplicated random number state on fork for example).

OpenBSD uses ChaCha20 since 5.5, as can be seen in the man page:


Xin Li is working on the arc4random changes for FreeBSD


It would be interesting to see how it compares to linux with grsecurity

I didn't go and research grsecurity, but I did do some overall research to see how Linux compares:


I wish someone from the FreeBSD project with authority and expertise would speak out instead of being silent when these discussions come up; a clearly communicated security roadmap would be nice. I suspect there's no desire to start internet flamewars or heated discussions about FreeBSD's security situation as they're weary of the discussions.

OpenBSD pioneers a lot of security research and best practices but I think many people get misled by all the hand waving and subsequently have more faith in certain features and less knowledge. I'm a victim myself.

As an example, I recently brought up W^X and wanted to know what the status / stance was and was met with a healthy dose of skepticism. As I was told, "W^X is very useful for debugging but not for security as the kernel has a read-write 1:1 map of all physical memory... you can still write to memory that will later be executed, you just have to use a different address" (not a direct quote) This was completely new information to me that nobody seems to talk about.

Likewise when I asked about securelevel=1 -- I was met with "securelevel is more likely to be removed entirely than enabled by default ... not convincing because there's no coherent model ... easy to work around as an attacker unless the system is very, very carefully configured, which means it's locked down beyond usability for most configurations ... though it's useful for jails since you can still do maintenance from the jailhost"

tl;dr I think the FreeBSD devs who can call the shots are more interested in ASLR and pushing Capsicum hard.

Whoever told you about that direct map "issue" didn't do their homework, and is talking out of their ass.


Thanks for the link, I'll share it.

edit: would this prevent you from being able to support 1GB pages?

We don't use 1GB pages in the direct map today, and likely won't for some time. They aren't supported on all amd64 CPUs so if we decided we were interested in doing that, we'd need two types of direct map layouts, one to support CPUs that had 1GB page support and one that didn't. That seems like an awful lot of complexity for questionable gain.

edit: ... and if we did decide, in the future, to take advantage of 1GB page support in the direct map, I'd probably just break out the kernel area separately and continue to map it with 2MB pages.

Thanks for the reply. There's currently no support for 1GB pages in FreeBSD but someone provided a patch set that does it and has considerably improved performance for their network appliance workload. It needs to be reworked a bit before being merged, but I hope it will happen before 11-RELEASE.

> There's currently no support for 1GB pages in FreeBSD but someone provided a patch set that does it

Probably others, but some of the discussion: https://lists.freebsd.org/pipermail/freebsd-hackers/2014-Nov...

Do OpenBSD use CVS?


I wouldn't be so quick to declare the work done in OpenBSD as hand-waiving, especially when the FreeBSD developers you've been talking to are just as uninformed as you are now.

Feel free to point them at the link mlarkin himself has posted here.

gladly will. learning is an important process. :-)

Are you referring to discussions on their mailing lists? If so, could you link to them?

No, it was in an IRC chat

What about NetBSD? Is it not relevant anymore anywhere?

It is closer to FreeBSD for many things, closer to OpenBSD for others. I get the impression that the author does not use it which is why it is not there.

It's used by plenty of embedded vendors. It just isn't generally deployed as a general purpose OS or server by most people. Not really the goal of the project either - their goal is generally "run on any piece of hardware ever created".

It makes a perfectly decent server OS and people do use it as exactly that. The portability goal is more about writing reasonable portable code, not running on everything, indeed it runs on fewer devices than Linux, but it is easy to port if you wish to.

Ha, interesting. I wonder what the rate of cross-pollination is - the BSDs should, due to their license, easily be able to use code from the other BSD variants, right? So how come that FreeBSDs pf is kinda outdated, and OpenBSD hasn't adopted Jails, too? Is it due to different philosophies, NIH syndrome or simply not enough manpower?

The article is actually incorrect about PF. FreeBSD forked OpenBSD's 4.5 version but has provided its own set of enhancements including SMP it has fallen behind in other respects. PF in OpenBSD has had some large architectural changes that break SMP and the biggest change (new syntax) wasn't deemed worthwhile to port back to the SMP version. The blog links to an email chain about it https://lists.freebsd.org/pipermail/freebsd-pf/2014-July/007...

Some code you can just drop in, other code needs more extensive changes because the internals are different. It would be interesting to map the cross pollination, there is a lot.

I believe jails is a philosophical issue, it is very hard to show that it actually provides isolation.

> I believe jails is a philosophical issue, it is very hard to show that it actually provides isolation.

Indeed. In theory, the kernel runs at a security/isolation level above root, but in practice root can often subvert it.

That said, OpenBSD also offers rdomains, which aren't quite jails but provide a somewhat similar degree of network separation.

I'm actually a little worried about cross-pollination after I listened to BSD Now episode 52[1]. The interview with Shawn Webb scarred me quite a bit with the answer to the question at 24:08 in the video[2]. The not knowing the OpenBSD model and the whole taint code comment is not an acceptable answer when looking at another BSD licensed project. It is also a really poor idea.

1) http://www.bsdnow.tv/episodes/2014_08_27-reverse_takeover

2) This is the one time I really, really wish there was an interviewer not from the FreeBSD / PC-BSD project. I really wanted a follow-up question to this one.

You can always email the guest. We include the guest's contact details in every episode's show notes.

I love what you folks do, and your segments are spot on, and you get great people on, but I don't think me e-mailing the guy would get an answer. It was just so out-there that I still cannot figure out what the heck was up.

BSD Now and bsdtalk are the two podcasts I look forward to each week.

I'm a web developer primarily, and I'm accustomed to Linux servers with the likes of CentOS and Ubuntu. I've been seeing a lot of talk lately about how secure *BSD is compared to Linux, and now Digital Ocean supports it. Is it something I should start looking into? What's the learning curve like for someone with moderate Linux experience? Where would I start?

"Is it something I should start looking into?"

No. Don't bother. The only BSD that has a security edge over linux is OpenBSD and you're probably not happy to lose the performance (and often hardware support) it would entail. It's also lacking a lot of the platform management linux systems have (package management stone ages - you won't have fun upgrading it).

It's great for critical systems, though. It's just the majority of the time I'm not willing to give up the niceties I would have to.

If you are primarily a web developer who knows nothing about BSD, I don't think you want to choose BSD for security reasons. The underlying OS might be more hardened, but if you don't know the system and applications as well as you know in linux, it's more likely you'll have a configuration error that opens a gaping security hole.

For instance, the default mail system in FreeBSD is still sendmail (https://www.freebsd.org/doc/handbook/sendmail.html). It's pretty easy to accidentally configure it as an open relay, even if you mostly know what you're doing. Until 10, BIND was the default DNS server (https://www.freebsd.org/doc/handbook/network-dns.html), which has the same kinds of configuration problems.

Interesting read! Thanks.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact