DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th February 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default non-journaled filesystems on liveusb media

Hi everyone !!!

A question :
Some would argue that on usbs , the best filesystem to use is non-journaled .. fat32 or ext2 .. as less writing is imposed on the usb fragile sectors .. then this would extend the life of the medium ..

* is this true ?
* are there any security-risk consequences ?

maybe this third question is off-topic ,

* slax can be installed on usbs using either linux filesystems or fat32 ..
can I install *BSD on a fat32 formatted usb ?
maybe to let it be accessible as thumb drive when used elsewhere unix machines .. for instance ..
* in this case .. is there a way to secure access to it ?

Million Thanks to everyone sharing knowledge ..
Reply With Quote
  #2   (View Single Post)  
Old 24th February 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by daemonfowl View Post
Some would argue that on usbs , the best filesystem to use is non-journaled .. fat32 or ext2 .. as less writing is imposed on the usb fragile sectors .. then this would extend the life of the medium ..
Two thoughts:
  • When flash devices first came to market, writing could be done to some sectors more than others, thus they could be "prematurely" worn out relative to all memory on the device. Most recent flash memory has wear-leveling algorithms implemented such that writes are more evenly distributed throughout what memory is available. This is a frequent question on misc@, & the general consensus is that the gymnastics some go through to prolong the life of CF cards isn't really worth the effort.
  • A 4GB flash drive cost me ~$5.00US this past week. Is it really worth it to bother with trying to preserve it? If the data is important, it should be backed up just like any other storage device anyways.
Quote:
are there any security-risk consequences ?
The general rule is if the bad guys have physical access to any storage device, they will in time have access to any data on it.
Quote:
is there a way to secure access to it ?
Look at the -c switch to bioctl(8). However, if the bad guys have stolen a flash drive, laptop, etc., encryption will only slow them down. You should assume the worst suspecting they will have access to the data if they really want it.
Quote:
can I install *BSD on a fat32 formatted usb ?
daemonfowl, since you have installed OpenBSD lately on multiple machines, do you recall whether you could change the default FFS filesystem on the boot partition? Studying Section 4 of the FAQ is not only allowed, it is highly recommended.
Reply With Quote
  #3   (View Single Post)  
Old 24th February 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Thanks Ocicat .. I was a bit ambiguous in the last question .. rephrasing :
How can I install some BSD flavor on a fat32 formatted usb flash using fat32 rather than ffs .. the way I once did with slax ?
I read the 4th section and still can't figure out what you meant by "change default FFS filesystem on the boot partition" .. do you mean setting / read only ?
once again sorry for being ambigious .. what I meant by security-risk .. not physically possessing the device .. but on the network .. since to msdos filesystem .. *Nixes can access +rw .. unlike with ffs .. so the issue is penetrating and not only being able to read content where no cryptography is used .. so the question is : how then (presumming that it's possible to use OpenBSD the slax-way) can I deny bad guys from compromising the system ? while still it is +rw fat32 ..
maybe the whole thing is impossible and that I am forcing "something-slax" on OpenBSD to adopt ..
Reply With Quote
  #4   (View Single Post)  
Old 24th February 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by daemonfowl View Post
How can I install some BSD flavor on a fat32 formatted usb flash using fat32 rather than ffs ..
I don't know about the other *BSD family members, but for OpenBSD, I will repeat again. During installation, are you offered a choice of what underlying filesystem is used? The answer is still in Section 4 of the FAQ.
Reply With Quote
  #5   (View Single Post)  
Old 24th February 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

it seems odd .. what subsecion in section 4 please ?

Last edited by daemonfowl; 24th February 2012 at 10:27 AM.
Reply With Quote
  #6   (View Single Post)  
Old 24th February 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by daemonfowl View Post
it seems odd .. what subsecion in section 4 please ?
What questions are asked during installation? Do any of these questions give you a choice about filesystems?
Reply With Quote
  #7   (View Single Post)  
Old 24th February 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

you mean I can choose some other filesystem instead of default 4.2BSD when setting up disks?
never thought this is possible ..
Reply With Quote
  #8   (View Single Post)  
Old 25th February 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by daemonfowl View Post
you mean I can choose some other filesystem instead of default 4.2BSD when setting up disks?
never thought this is possible ..
You're right!

For bonus points, you will find that installation will ensure there is one MBR partition of type A6 before the operating system can be installed. Therefore, while OpenBSD can access filesystems other than FFS, it must boot on FFS.

Now, going back to your original question (which are really two questions...):
Quote:
can I install *BSD on a fat32 formatted usb ?
  • OpenBSD can be installed on USB drives. These USB devices can be originally formatted as FAT32.
  • However after installation, either the entire drive (as a single MBR partition...) will be converted to FFS, or at least one MBR partition on the USB drive will be converted to FFS.
You may then ask "Well, Slax can be installed on FAT32 (which I haven't confirmed, but I assume you are correct...), why can't OpenBSD?"

I suspect that it is possible, but I would guess no developer finds booting onto FAT32 to be useful enough to actually do the work. OpenBSD supports over a dozen hardware platforms. Staying generic is far more important, but that is simply an opinion.

Last edited by ocicat; 25th February 2012 at 12:24 AM.
Reply With Quote
  #9   (View Single Post)  
Old 25th February 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

My friend .. you seem to have been missing my point ... I've never had problems dafault-installing openbsd/netbsd on usb sticks .. I have NetBSD 6.beta on a 16g usb .. an 8g openbsd flash .. & 4g miscroSD card with Netbsd 5.1 .. but all with FFS ..
What I was wondering , is OpenBSD as flexible as slax to accept being installed on fat32 formatted usbs .. I mean : literally departing from ffs to reside on msdosfs .. maybe foolish on my part .. sorry then .. I just hope .. you remember that old FatLinux (Linux is happy with Fat) .. so will OpenBSD too be happy with fat32 .. it was an old opportunity to discover linux .. ya .. :-) ..
Reply With Quote
Old 25th February 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by daemonfowl View Post
What I was wondering , is OpenBSD as flexible as slax to accept being installed on win3 formatted usbs ..
I have already answered this question.
Quote:
Originally Posted by ocicat
  • OpenBSD can be installed on USB drives. These USB devices can be originally formatted as FAT32.
  • However after installation, either the entire drive (as a single MBR partition...) will be converted to FFS, or at least one MBR partition on the USB drive will be converted to FFS.
No, OpenBSD does not duplicate this feature you report Slax supporting.
Reply With Quote
Old 25th February 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

FAT for reducing write load:

1. Is FAT an option? No.

2. Would FAT, being non-journaled, add value? No. FFS is not journaled, either.

3. Would FAT be a good choice? No. FAT lacks the capability to have sockets, device nodes, hard and symbolic links, and access controls.

Solid state devices and write I/O

1. Do I need to worry about reducing write load? No. Not with devices that have wear leveling capability. Several wear leveling technologies are in common use and should be a standard capability of all solid state storage devices marketed within the last seven or eight years.

2. Is wear leveling a physical security risk, since a write may not actually overlay a sector? There is a risk, yes. It is similar to the risk that sectors marked bad on a modern magnetic hard drives might be readable in a laboratory, though the drive electronics will not read them and an OS has no access.

Network Security

1. Are there any special concerns about network users with access to USB devices? No. On OpenBSD, USB mass storage devices are treated as any other disk drive. Access is controlled through a blend of mount options and filesystem access controls, which the admin is responsible for managing. Bad management can have security implications, but this is no different than any other disk device.

Portable Devices and Portable Media

1. Should I treat laptops, netbooks, smartphones, digital cameras, external drives, USB sticks, SD cards, XD cards, diskettes, Compact Flash cards, CDs, DVDs, and Blue-Ray discs containing personal or private information as if they have the same sorts of physical security requirements? Yes.

2. Is there network security I should be especially concerned about when traveling with portable computing systems -- netbooks, smartphones, tablets, laptops? Yes. Network connections may provide information in-the-clear or even attack vectors against your systems, servers, and applications.

3. What about a read-only device -- so that I keep no personal or confidential information on it? For example, traveling with a LiveCD or LiveUSB, or a "clean" netbook with nothing on it but a freshly installed OS. You must still be cognizant of network connections you make, the security of the services you access, and any local information caches. You must know what local information might be written by a "live" environment, such as swap partitions and temporary file stores.

4. There's a lot to think about. Can I learn all I need to know from this forum? Yes, there is a lot to think about, and learn. Unfortunately, no, this forum will never be able to teach you everything you need to know. Like the universe, the knowledge you need to make informed decisions is ever expanding. Also, this forum is focused on a very small segment of the wide world of information security. And information security is an ever changing world, with new threats and new mitigations appearing constantly.

2. Should I encrypt personal or private information? That is up to you, and your personal or business requirements. It may also have legal implications for you, depending upon where you are and where you travel.
Reply With Quote
Old 25th February 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

shame on me .. it's faq 14 .. it high time I slow down pace .. and take time to read , and reread enough .. before troubling you ..
what a bad feeling ..
sorry @Jgimmi
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Sterilization of downloaded/mounted media/drives/filesystems jackthechemist OpenBSD Security 5 27th December 2010 07:05 PM
OpenBSD livecd/liveusb/combo persistent? Noobification OpenBSD General 5 28th October 2010 12:22 PM
Partitioning the LiveUSB drives. IronForge OpenBSD Installation and Upgrading 6 29th August 2010 10:27 PM
OpenBSD LiveUSB Oko OpenBSD Installation and Upgrading 3 12th May 2009 03:24 AM
Need help with mounting filesystems Mr-Biscuit FreeBSD General 2 11th September 2008 08:29 AM


All times are GMT. The time now is 07:41 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick