OpenBSD Journal

Tartalom átvétel OpenBSD Journal
The OpenBSD Community.
Frissült: 47 perc 54 másodperc

Reminder: Early registration for EuroBSDcon 2016 ends Aug 24

sze, 2016-08-24 06:46

EuroBSDcon 2016 (see earlier article) is on from 22 to 25 September 2016, in Belgrade, Serbia.

Early registration ends 2016-08-24 23:59 CEST, so get in now for discounted prices on great (Open)BSD talks and tutorials!

Kategóriák: *BSD

SNI support added to libtls, httpd in -current

k, 2016-08-23 02:31

Joel Sing (jsing@) has added server-side Server Name Indication (SNI) support to libtls and, based on that, to httpd.

Read more...
Kategóriák: *BSD

tmpfs on its last legs

p, 2016-08-12 05:12

As a result of apparent lack of maintenance, Theo de Raadt has disabled tmpfs.


CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2016/07/25 13:52:56 Modified files: sys/conf : GENERIC Log message: disable tmpfs because it receives zero maintainance.
Kategóriák: *BSD

n2k16 hackathon report: guenther@ on RELRO support in binutils and arch specific cleanup

p, 2016-08-12 05:10
Our next report comes from Philip Guenther, who writes,

I don't actually do much hacking in the network stack. I've done some fixes and cleanup in the syscall/ioctl layers, but otherwise I stay out of sys/net*, so what was I doing at n2k16? Read more...

Kategóriák: *BSD

n2k16 hackathon report: Ken Westerback on dhclient, bridges, routing and more

k, 2016-08-02 18:31
Our next report comes from Ken Westerback (krw@), who writes,

Suprise upgrade to Business! Yay! Bumped by a paying customer to a seat with a non-functional entertainment unit. Boo. Running the length of Frankfurt airport to meet Theo's flight in time. Yay! No Theo. Boo. I can still meet the ANZAC contingent in Prague to share trip downtown. Yay! They walk right past me even with my UQ hat on. Boo. Yet Another Hackathon Travel Adventure. Read more...

Kategóriák: *BSD

EuroBSDCon 2016 schedule has been released

cs, 2016-07-28 11:45
The EuroBSDCon 2016 talks and schedule have been released, and oh are we in for a treat!

All three major BSD's have a "how we made the network go fast" talk, nearly every single timeslot has a networking related talk, and most of the non-networking talks look fantastic as well.

The OpenBSD related talks are:

  • Embracing the BSD routing table - mpi@
  • rc.d(8) on OpenBSD - ajacoutot@
  • OpenBSD meets 802.11n - stsp@
  • OpenBSD: pf+rdomains create splendid multi-tenancy firewalls - Philipp Buehler (formerly known as pb@)
  • Dropping in 80Gbits (hopefully) of stateful firewalling capacity with PF and OpenOSPFd - Gareth Llewellyn
  • What we learnt from natively building packages on exotic archs - landry@
  • Bidirectional Forwarding Detection (BFD) implementation and support in OpenBSD - phessler@
  • Retrofitting privsep into ports tools - espie@
  • Why and how you ought to keep multibyte character support simple - ingo@

    And an OpenBSD related tutorial is

  • OpenBSD: Building a test-environment for multi-tenancy firewalls - Philipp Buehler

    We're very excited about this year's EuroBSDCon, looks to be a fantastic one. Register Now!

  • Kategóriák: *BSD

    OpenBSD 6.0 pre-orders up

    sze, 2016-07-27 15:42
    Pre-orders for the 6.0 CD sets have just been activated.

    In addition, one of the six release songs has been released early.
    There will be another compilation CD titled "The songs 5.2 - 6.0" alongside the release.

    Head on over to the OpenBSD Store to pick up your CD set, poster, or both!

    This release has some of the coolest artwork yet.

    Kategóriák: *BSD

    OpenBSD 6.0 to be released September 1, 2016

    h, 2016-07-25 12:08

    Theo de Raadt (deraadt@) has updated the (in-progress) OpenBSD 6.0 release page to indicate that release will occur earlier than is usual:

    CVSROOT: /cvs Module name: www Changes by: deraadt@cvs.openbsd.org 2016/07/23 08:18:28 Modified files: . : 60.html Log message: the 6.0 release date will come as a surprise
    Kategóriák: *BSD

    n2k16 hackathon report: Stefan Sperling on dhclient bugs, iwm(4) issues

    h, 2016-07-25 11:51
    The first report from the just-concluded n2k16 hackathon comes from Stefan Sperling, who writes:

    Because this network hackathon was scheduled very close to the 6.0 release I focused my efforts on fixing bugs.

    The first bug I encountered was that dhclient no longer works if DHCP return traffic has to pass through a bridge, and the member interface which receives the DHCP return traffic also has a dhclient instance running on it: Read more...

    Kategóriák: *BSD

    usermount being removed from OpenBSD

    p, 2016-07-15 14:37

    The facility for allowing non-root users to mount file systems has been removed from OpenBSD-current due to security concerns.

    Specifically, the value of kern.usermount (as described in the mount(8) and sysctl(3) man pages) will be ignored in OpenBSD 6.0, and the kern.usermount system variable will be absent from later releases.

    Theo de Raadt (deraadt@) committed the change:

    CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2016/07/14 09:39:40 Modified files: sys/kern : vfs_syscalls.c kern_sysctl.c Log message: kern.usermount=1 is unsafe for everyone, since it allows any non-pledged program to call the mount/umount system calls. There is no way any user can be expected to keep their system safe / reliable with this feature. Ignore setting to =1, and after release we'll delete the sysctl entirely. ok lots of people Read more...
    Kategóriák: *BSD

    Errata and patches released!

    p, 2016-07-15 09:56
    Now would be a good time to check http://www.openbsd.org/errata59.html as a number of patches related to reliability and security have been released as follows.

    This appears to be in response to fuzz testing as documented further in this mailing list archive: http://marc.info/?l=oss-security&m=146853062403622&w=2

    Tim Newsham and Jesse Hertz of NCC Group appear to have done most of the research related to these discoveries so far, and I know at least one of them has had patches committed to the OpenBSD project in the past, so it is nice to see continual collaboration from professional researchers contributing back to project! Again, please check http://www.openbsd.org/errata59.html for links to source code patches to address these issues. Excerpted summaries of the issues discovered below:

    013: RELIABILITY FIX: July 14, 2016 All architectures Splicing sockets in a loop could cause a kernel spin.

    014: RELIABILITY FIX: July 14, 2016 All architectures Multiple processes exiting with a fd-passing control message on a shared socket could crash the system.

    015: RELIABILITY FIX: July 14, 2016 All architectures ufs_readdir failed to limit size of memory allocation, leading to panics.

    016: SECURITY FIX: July 14, 2016 All architectures The mmap extension __MAP_NOFAULT could overcommit resources and crash the system.

    017: RELIABILITY FIX: July 14, 2016 All architectures A race occuring in the unlocked ARP input path can lead to a kernel NULL dereference.

    018: RELIABILITY FIX: July 14, 2016 All architectures Tick counting overflows could cause a kernel crash.

    019: RELIABILITY FIX: July 14, 2016 All architectures Invalid file descriptor use with kevent(2) could lead to a kernel crash.

    020: RELIABILITY FIX: July 14, 2016 All architectures Unchecked parameters and integer overflows in the amap allocation routines could cause malloc(9) to either not allocate enough memory, leading to memory corruption, or to trigger a "malloc: allocation too large" panic.

    Kategóriák: *BSD

    mandoc-1.13.4 released

    cs, 2016-07-14 19:23
    Ingo Schwarze wrote in about the new mandoc release,

    From: Ingo Schwarze <schwarze@usta.de>
    Date: Thu, 14 Jul 2016 16:48:20 +0200
    To: discuss@mdocml.bsd.lv
    Subject: mandoc-1.13.4 released

    Hello,

    mandoc = mdocml 1.13.4 is now publicly available from <http://mdocml.bsd.lv/>.

    After more than a year of development since 1.13.3, this is a regular maintenance release, fixing many bugs. This release contains almost the same mandoc code as the upcoming OpenBSD 6.0 release. Upgrading is recommended for all downstream projects.

    Read more...

    Kategóriák: *BSD

    BSDCan 2016 Presentations Online

    p, 2016-06-17 15:57
    The BSDCan 2016 conference in Ottawa has just concluded, with a number of OpenBSD-themed talks. These are the talks by OpenBSD developers:

    Reyk Flöter: An OpenFlow implementation for OpenBSD - Introducing switchd(8) and more about SDN (slides)

    Henning Brauer: Running an ISP on OpenBSD - Why OpenBSD and several uncommon uses of it (slides)

    Peter Hessler: Bidirectional Forwarding Detection (BFD) implementation and support in OpenBSD. Or: A new protocol actually did improve our routing. (slides)

    Mike Belopuhov: Implementation of Xen PVHVM drivers in OpenBSD (slides)

    Antoine Jacoutot: OpenBSD rc.d(8) (slides)

    Sebastian Benoit: Opensource Routing - Running an enterprise network on OpenBSD (slides)

    In addition, two OpenBSD-centric tutorials were offered by people who are not themselves OpenBSD developers:

    Peter Hansteen: Building The Network You Need With PF, The OpenBSD Packet Filter (slides)

    Aaron Poffenberger: OpenSMTPD for the Real World (slides)

    Kategóriák: *BSD

    Understanding the modernization of the OpenBSD network stack, part 1: ART single thread performances

    p, 2016-06-17 15:53
    Martin Pieuchot (mpi@) wrote in, saying

    OpenBSD network developers are doing some great work at modernizing and improving the network stack. But even if you're following tech@, it might be tricky to understand what's going on. Read more...

    Kategóriák: *BSD

    ARMv7 now has a bootloader

    v, 2016-05-29 17:41
    Progress on the armv7 platform continues, and Jonathan Gray writes in to the arm@ mailing list with some promising news:

    There is now a bootloader for armv7 thanks to kettenis@ Recent armv7 snapshots will configure disks to use efiboot and install device tree dtb files on a fat partition at the start of the disk.

    u-boot kernel images are no longer part of the release but can still be built for the time being. We are going to start assuming the kernel has been loaded with a dtb file to describe the hardware sometime soon. Those doing new installs can ignore the details but here they are. Read more...

    Kategóriák: *BSD

    W^X now mandatory in OpenBSD

    szo, 2016-05-28 00:27
    Traditional Unix has allowed memory to be mapped W | X. Everyone now knows that’s a bad practice from a security standpoint, but the software ecosystem hasn't made much progress in this area. Theo de Raadt has just committed a change to begin blocking W^X violations in OpenBSD.

    CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2016/05/27 13:45:04 Modified files: lib/libc/sys : mmap.2 mount.2 mprotect.2 sbin/mount : mntopts.h mount.8 mount.c sbin/mount_ffs : mount_ffs.c sbin/mount_nfs : mount_nfs.c sys/kern : kern_sysctl.c vfs_syscalls.c sys/sys : mount.h sysctl.h sys/uvm : uvm_mmap.c usr.sbin/pstat : pstat.c Log message: W^X violations are no longer permitted by default. A kernel log message is generated, and mprotect/mmap return ENOTSUP. If the sysctl(8) flag kern.wxabort is set then a SIGABRT occurs instead, for gdb use or coredump creation. W^X violating programs can be permitted on a ffs/nfs filesystem-basis, using the "wxallowed" mount option. One day far in the future upstream software developers will understand that W^X violations are a tremendously risky practice and that style of programming will be banished outright. Until then, we recommend most users need to use the wxallowed option on their /usr/local filesystem. At least your other filesystems don't permit such programs. Read more...

    Kategóriák: *BSD

    Privilege Separation and Pledge (video)

    sze, 2016-05-25 15:34
    This year's dotSecurity conference featured a presentation from OpenBSD founder Theo de Raadt, titled "Privilege Separation and Pledge."

    The video is now available here, in addition to the slides.

    Kategóriák: *BSD

    p2k16 Hackathon Report: pirofti@ on octeon and TPM

    cs, 2016-05-19 13:27
    The next hackathon report comes from Paul Irofti, who writes:

    This was probably the shortest hackathon I attended. The 4 days flew by and I realised we have to pack and go with nothing to show for.

    My usual hackathon work flow is: waste 3-4 days trying to figure how some device works, and then polish the driver(s) for the remaining days while congratulating myself with coffee, Günther and beer. Read more...

    Kategóriák: *BSD

    p2k16 Hackathon Report: jasper@ on gnome, puppet and more

    k, 2016-05-17 14:37
    Our next report comes from Jasper Lievisse Adriaanse, who writes:

    Hackathons have long since had two themes for me, gnomes and puppets. However this hackathon I actually didn't want to play with puppets for once, yet I ended up importing Puppet 4 after all. More on that later. Read more...

    Kategóriák: *BSD

    SROP mitigation committed

    cs, 2016-05-12 05:28
    In a recent email, Theo de Raadt explains the SROP mitigation technique, a recent team effort.

    This is the first demonstration of a mitigation against SROP.

    Utilizing a trick from kbind(2), the kernel now only accepts signal returns from the PC address of the sigreturn(2) syscall in the signal trampoline. Since the signal trampoline page is randomized placed per process, it is only known by directly returning from a signal handler.

    As well, the sigcontext provided to sigreturn(2) now contains a magic cookie constructed from a per-process cookie XOR'd against the address of the signal context. That part is similar to the LWN discussion mentioned above. I came to the same conclusion semi-independently as a result of Antoine's ports builds, which identified all the parts of the application software ecosystem I had to study. Woe is me!

    Read more...

    Kategóriák: *BSD