DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th May 2010
bettyblue bettyblue is offline
New User
 
Join Date: May 2010
Posts: 4
Thanked 0 Times in 0 Posts
Post Security by default

Hi all,

Can anyone explain me this features:

# strlcpy() and strlcat()
# Memory protection purify

* W^X
* .rodata segment
* Guard pages
* Randomized malloc()
* Randomized mmap()
* atexit() and stdio protection

# Privilege separation
# Privilege revocation
# Chroot jailing
# New uids
# ProPolice

becouse I don't understand very well from official site.

Best regards.
Reply With Quote
  #2   (View Single Post)  
Old 25th May 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

This is complicated to answer, several papers exist which explain the security features implemented in OpenBSD.

The developer Matthieu Herrb wrote one such paper for h2k9, it's listed at http://www.openbsd.org/papers/.

A Wikipedia article also exists, but, make sure you follow the references, as you have quite a lot of reading to do.

http://en.wikipedia.org/wiki/OpenBSD_security_features
Reply With Quote
  #3   (View Single Post)  
Old 26th May 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,873
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by bettyblue View Post
Can anyone explain me this features...
Welcome.

The OpenBSD project is small. The target audience for the operating system is the project developers themselves. They just happen to make all source code open to anyone to do as they please (as long as copyright notices are preserved). The project does not have an extensive support structure in place, so users of the operating system are expected to be able to find their own answers. While many may interpret this to mean that Google is the solution to all problems, it is not. Having knowledge of what documentation the project makes available, & taking the time to study it in earnest marks successful users. As someone new to OpenBSD, you should study the project's official FAQ & official mailing list archives for answers to your questions. Understanding OpenBSD means understanding its culture. All conversation on technical matters quickly turn to the most authoritative source held by the project -- its manpages.

As noted earlier, your questions are very open-ended. Given that this is your first message at this site, we do not know what is your background or understanding to the Unix world & way of thinking. Consequently, I will give short answers to most of your questions. This may or may not be sufficient for you needs. You are invited to respond with more specific questions, but be forewarned that you should do your homework first. Study the information provided. Read through the FAQ. Doing anything less is short-changing yourself & your troubleshooting abilities. You are also invited to read the following thread which gives information on how to ask effective questions:

http://www.daemonforums.org/showthread.php?t=596

Quote:
# strlcpy() and strlcat()
Study the manpages -- strlcpy(3) & strlcat(3).
Quote:
# Chroot jailing
OpenBSD does not support jails in the FreeBSD sense. The extent of chroot can be found by studying the manpage -- chroot(8).
Quote:
* .rodata segment
This is a segment defined at the assembly language level containing read-only information. For more information, look at the general article found at Wikipedia:

http://en.wikipedia.org/wiki/Data_segment
Quote:
# Memory protection purify

* W^X
* Guard pages
* Randomized malloc()
* Randomized mmap()
* atexit() and stdio protection

# Privilege separation
# Privilege revocation
# New uids
# ProPolice
The project's leader, Theo de Raadt, gave a talk in 2004 which covers most of these items. The slides are available, & you should take the time to study them:

http://www.openbsd.org/papers/auug04/index.html

Again, follow-up questions are encouraged, but you will be doing yourself a favor by taking the time to study the information provided first.
Reply With Quote
  #4   (View Single Post)  
Old 30th May 2010
bettyblue bettyblue is offline
New User
 
Join Date: May 2010
Posts: 4
Thanked 0 Times in 0 Posts
Default

Thank you so muck for the info ocicat and BSDfan666.

I am a OpenBSD sysadmin I use many years OpenBSD but never research about this security features, so thanks again for the info again.

If any one have more examples or papers, the are wellcome.

Best regards
Reply With Quote
  #5   (View Single Post)  
Old 30th May 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

http://www.openbsd.org/papers/
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Default terminal color disappearedng FreeBSD General 5 21st February 2012 01:28 AM
how APM & ACPI duke it out to be the default ocicat OpenBSD General 0 23rd June 2009 04:05 AM
Default message coloration cyril OpenBSD Installation and Upgrading 5 6th June 2009 02:13 PM
apache 2.2.8 , is it on chroot by default? superslot OpenBSD Security 9 30th June 2008 11:56 AM
is default security applied? BFlatMinor OpenBSD Security 7 21st June 2008 03:36 PM


All times are GMT. The time now is 08:39 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick