Submitted by “We are pleased to announce the official release of OpenBSD 4.0. This is our 20th release on CD-ROM (and 21st via FTP). We remain proud of OpenBSD’s record of ten years with only a single remote hole in the default install. As in our previous releases, 4.0 provides significant improvements, including new features, in nearly all areas of the system.” More here. Update: First review here.
OpenBSD 4.0 Released
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSAlert.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Another great release from a grandiose of an operating system.
Anyone know how the Absolute OpenBSD book is? Is it as good as all the Amazon reviews say it is?
Yes, <> is an excellent book!
Don’t expect to find in it how to configure your X, but you will find in depth info on the Packet Filter instead.
Here’s how you can get it cheaper than from Amazon.com (Amazon: $28.36 + shipping; my trick: $21.00 + shipping; list price: $39.95 + shipping): http://beranger.org/index.php?article=1735
I just got it (the book) in my mail 2 days ago, and I’m happy with it
Print a copy of the Errata though: http://www.absoluteopenbsd.com/errata.html
Don’t expect to find in it how to configure your X, but you will find in depth info on the Packet Filter instead.
Piece a cake:http://www.openbsdsupport.org/gnome-GDM.html
I is an alright book, however, it is a book made for OpenBSD 3.4, not really up to date anymore. That’s three years of change from 3.4 to 4.0.
Anyone know how the Absolute OpenBSD book is?
It is certainly a well written, excellent book. However, the book was released in June, 2003, and it is thus starting to show its age as OpenBSD has, of course, developed a lot since that (some parts of the installation and package management etc.). As far as I know, there is no new updated edition of the book being planned at least yet?
I thought the book was pretty good. But as others have said, it’s a bit outdated by now. I have several hand written notes in my own book that reflect new information.
For example, on page 88, in the Date section the book says “OpenBSD supports programs such as xntpd(8) and ntpdate(8), but does not include them by default.” I wrote a note in the margin of that section that says “As of OpenBSD 3.6, OpenNTPD was made part of the default install.”
Also, on pages 91 and 92, the book talks about editing the /etc/rc.conf file and never mentions /etc/rc.conf.local. So I made a note in the margin that says “It is advisable to leave the /etc/rc.conf file untouched, and instead create and edit a new /etc/rc.conf.local file. This is according to the rc.conf(8) man page.”
Those are just a couple of examples. One thing I also noticed about the book was that the author’s tone was a bit harsh at times; in my opinion at least. Prior to reading Absolute OpenBSD, I had read The Debian System, also by No Starch Press. The author of The Debian System had a more professional writing style in my opinion.
As an example, at one point in the Absolute OpenBSD book, the author says “The sudoers file tells sudo who may run which commands as which users. OpenBSD stores the sudoers file as /etc/sudoers. (If you’re using this section as a reference for the sudo system on another operating system, finding the sudoers file is your problem.)”
Finding the sudoers file is “my problem”? I can think of at least a half dozen different ways of writing that sentence without sounding like suck a dick. Like “If you’re using this section as a reference for the sudo system on another operating system, the sudoers file may be in another location.”
There are several instances throughout the book where the author shows a lack of class in his writing style.
blixel, I think those issues might not have so much to do with the author’s writing style not to mention lack of class, but, on the the contrary, he may have just tried to reflect what sort of a beast (not the easiest) OpenBSD could be for a novice OpenBSD operator.. As the author points OpenBSD is not a commercial OS that has a well paid support staff waiting there just to give help for novices, but a voluntary project of professional developers where users are indeeed expected to be able to understand lots of things by themselves, from the well written man pages etc. but often without as much handholding as with some other operating systems. Considering that, I found the book informative, and the author’s style pleasant and fitting too. I hope they will publish an updated version of the book later.
Don’t forget http://www.openbsd.org/orders.html as you may very well want to support the project by buying the CDs or a T-shirt.
If you want to enhance your geekness, you can’t go wrong with a T-shirt from OpenBSD.
As usual, you can find an unofficial – and of course unsupported by the OpenBSD dev team – i386 install ISO, and a short install guide (unfortunately just in hungarian language) at the Hungarian Unix Portal.
URL:
http://hup.hu/node/31322
They’ve been saying that for years. And it certainly is impressive. Of course the default install is not the only part of the system, but OpenBSD realises that and also partly protects non-base applications and users on the OpenBSD platform. For example, by randomization of certain stacks and applying cryptography.
I wonder, however, what happens if a remote hole is found. I suppose it will become really quiet for at least several years
I don’t know when the hole was found, but they would probably count the new hole and cut the years, so that they could say “only one remote hole in the default install in 5 years” or something.
>I wonder, however, what happens if a remote hole is found.
Then there will be two remote holes for years
It’s a really open system, so there is nothing to hide from the user. Keep up the good work Theo
Release Date: 2006-10-12
Secunia Advisory ID: SA22352
Impact: DoS, System access
Where: From remote
Short Description:
OpenBSD has issued an update for OpenSSH. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.
First entry here –> http://secunia.com/product/100/?task=advisories
That’s one I guess, But there’s more…
Release Date: 2005-05-19
Secunia Advisory ID: SA15417
Impact: DoS
Where: From remote
Short Description:
A vulnerability has been reported in OpenBSD, which can be exploited by malicious people to cause a DoS (Denial of Service) on active TCP sessions.
Release Date: 2004-03-09
Secunia Advisory ID: SA11074
Impact: DoS
Where: From remote
Short Description:
OpenBSD has issued a patch, which fixes a vulnerability allowing malicious people to cause a DoS.
Release Date: 2003-09-17
Secunia Advisory ID: SA9746
Impact: DoS, System access
Where: From remote
Short Description:
OpenBSD has issued a patch for ssh. This fix a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.
So it’s “only one remote root exploit in the default install in the last month”. Or maybe their trick is the “default install” part.
Maybe you need search and learn something about the subject you just copy-paste to your comment.We all value that!
note:In your link there is a comment (that you don’t saw) that say this: “Vendor OpenBSD
Product Link View Here (Link to external site)
Affected By 76 Secunia advisories
Unpatched 0% (0 of 76 Secunia advisories)
Most Critical Unpatched
There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied.”
Edited 2006-11-01 11:59
They state “Only one remote hole in the default install, in more than 10 years!” (openbsd.org).
Thank G-d they at least patched all the vulnerabilities, but my point was that there were a lot more than one “remote holes” in the default install.
Maybe you should read my comment you reply to. I would value that.
> Or maybe their trick is the “default install” part.
The “trick” is the default install bit, and I think that it is a fair one. OpenBSD assumes that the user knows what they are doing, so the user will look up security advisories prior to installing software or enabling a service. They also assume that the user will keep track of new advisories that pop up due to that modification to the default install.
IMHO, that is much better than the practice with most operating systems where a bunch of software is installed and a bunch of services are enabled at default — almost regardless of their history. That means that the sysadmin cannot really trust the base install and it means that they have a lot more work to do to tie down their system because they have to find out which software is installed and which services are enabled in order to track those security advisories more carefully (more work).
Doesn’t OpenBSD come with OpenSSH enabled by default? Did you even look at that link?
This is right from the securina advisory.
Impact: DoS
System access
OpenBSD has issued an update for OpenSSH. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.
Is that not a remote root exploit?
Is that not a remote root exploit?
Not in the default install (GSSAPI is not normally enabled). There’s also no evidence that this attack vector actually works. More detail: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051
Edited 2006-11-01 15:54
Yes it was a remote root exploit.
Lack of published exploit code doesn’t mean the bad guys don’t have it. In fact it means they used it and are afraid to go public.
It’s correct to call it “unconfirmed”, but all that means is the cracker needs to acquire the exploit informally (almost always the case anyway), or write his own (not quite trivial in this case)…
You only posted Denial of Service vulnerabilities. It’s a bit of a stretch to call those remote “holes”. Those vulernerabilities do not allow access to the system.
From the article:
The only complaint that I ever see people raise about OpenBSD is that it doesn’t perform as well as Solaris or GNU/Linux when under heavy load. With high-performance computer hardware so inexpensively available these days, however, I can’t understand why anyone who has a choice would go with anything other than OpenBSD for a Web, FTP, email, directory, or NFS server.
I’d say this comment is slightly misguided. Throwing high performance hardware at a software performance problem isn’t necessarily going to give big gains. For example, if the SMP scalability isn’t very good (and I seem to recall OBSD being limited in this in the past) then adding extra cores to a system will result in a large fraction of your extra power being wasted.
I’m just pointing out that software performance isn’t completely solved by hardware improvements, at least not if the software works against the effect of more/faster CPUs. It’s right and proper for OpenBSD to focus first on things other than performance, though, and as long as the system isn’t going to be encountering extremely large loads I’m sure it makes an excellent server. If you want the absolute peak of efficiency, you can use something else and forgo the unique features of OBSD.
One of the major issues I have with OpenBSD is that is quite difficutl to upgrade a remote server compared to a Debian-based distro such as Ubuntu. I would very much like to see more work being done on the *BSDs to make remote servers easier to update and upgrade. With more and more companies and organisations using colocation services, easy remote management of servers is a must have.
One of the major issues I have with OpenBSD is that is quite difficutl to upgrade a remote server compared to a Debian-based distro such as Ubuntu. I would very much like to see more work being done on the *BSDs to make remote servers easier to update and upgrade. With more and more companies and organisations using colocation services, easy remote management of servers is a must have.
ummm, cvsup the source, build world, merge in some config changes and you’re done. What’s so hard about that? If you have a decently designed server farm you can run this out on some test boxes, make sures it’s stable and then run a job on the rest of the servers.
How about the part of having to boot into single user mode? That kind off kills off any chance of performing a remote install if I’m not mistaken.
is if the zaurus distro was on the cd’s… I mean sure my zaurus doesnt have a cd rom drive, but I get so impatient waiting to download from ftp
Well, Michael W. Lucas is rather proud to be lazy (and unresponsive to e-mails), so I don’t think there will be any updated edition soon.
blixel, have you tried to submit your notes to [email protected]? If Michael W. Lucas is not updating the Errata, low chances that he will update the book.
OTOH, I also have ‘The Debian System’ too. While it is very pleasant to read, it’s thinner in tricky info. It was pleasant to read it as a fan of Debian, but there is not very much I could find there that I didn’t know already.
As it’s some time since I haven’t used FreeBSD and NetBSD, and OpenBSD is much more conservative than those two, having at hand ‘Absolute OpenBSD’ is very reassuring
An update would be however useful, as OpenBSD 4.0 brought quite some changes to the network, and a book from 2003… cough.
Nevertheless, ‘Absolute OpenBSD’ is _the_ OpenBSD book, the same way ‘Slackware Essentials 2nd/ed’ is still _the_ reference for slack newbies.
> I can think of at least a half dozen different ways of writing that sentence without sounding like suck a dick.
I suppose that’s a Freudian Lip?