top | item 45944988

(no title)

hellcow | 3 months ago

I built my last company on OpenBSD. It was easy to understand the entire system, and secure-by-default (everything disabled) is the right posture for servers. Pledge and unveil worked brilliantly to restrict our Go processes to specific syscall sets and files. The firewall on OpenBSD is miles better to configure than iptables. I never had challenges upgrading them--they just kept working for years.

discuss

thomashabets2|3 months ago

Finally Linux has something that approaches pledge/unveil: landlock.

Seccomp was never actually usable: https://blog.habets.se/2022/03/seccomp-unsafe-at-any-speed.h...

shiomiru|3 months ago

> Seccomp was never actually usable

It's barely usable by itself but I don't think it's an inherent problem of seccomp-bpf, rather the lack of libc support. Surely the task of "determine which syscalls are used for feature X" belongs in the software that decides which syscalls to use for feature X.

In fact, Cosmopolitan libc implements pledge on Linux on top of seccomp-bpf: https://justine.lol/pledge/

nolist_policy|3 months ago

Chrome and Firefox use seccomp for sandboxing since more that 15 years: https://lwn.net/Articles/346902/

pjmlp|3 months ago

Seccomp is heavily used on Android.

hulitu|3 months ago

Linux is far too bloated to ve run as a secure system and the attack surface of any linux distro, due to the number of kernel modules loaded by default, is very big.

sedawkgrep|3 months ago

> The firewall on OpenBSD is miles better to configure than iptables.

That's understating the matter by a huge amount.

pf is easier to read and understand, easier to adjust, more dynamic, and works like every other firewall in the world not based on iptables.

thomashabets2|3 months ago

Seems a bit subjective. I find iptables much easier to work with.

But then again I've not run iptables for years. nftables has many benefits.

tasn|3 months ago

iptables is indeed horrid, but Linux has nftables nowadays, which is much nicer and easier to configure.

jorvi|3 months ago

> I built my last company on OpenBSD. It was easy to understand the entire system, and secure-by-default (everything disabled) is the right posture for servers.

That really depends. You could argue a router is a server. OpenWRT has the default of WiFi off for security, which means that if the config is somehow hosed and you have to hard reset the router, you now have an inaccessible brick unless you happen to have a USB-Ethernet adapter on you.

Sensible defaults are much, much better than the absolutionist approach of "disable everything".

Edit: it's so funny to know that all the people slamming the downvote have never hit the brick wall of a dumb default. I hope you stay blessed like that!

unethical_ban|3 months ago

You bring up a particular edge case as a way to discredit a much more thorough essay on the system.

And if someone is administering routers but don't have the hard-line equipment to configure them locally, I wish them well.

DoctorOW|3 months ago

> Edit: it's so funny to know that all the people slamming the downvote have never hit the brick wall of a dumb default.

I'll bite. OpenBSD and OpenWRT are different things, and I'm honestly surprised to hear that tech matters enough to you to setup OpenWRT but not enough to own a desktop (or a laptop that doesn't skimp on ports)

7bit|3 months ago

You are being downvoted for comparing OpenBSD to OpenWRT. They are about as different than a foundation to a house.