Re: Running another OS under OpenBSD
* Douglas A. Tutty [2008-12-31 15:56]: > On Tue, Dec 30, 2008 at 12:23:59PM +0100, Henning Brauer wrote: > > I'd use the OpenBSD/ff combo over whateverlinux/ff any time, even if > > the ff on OpenBSD is older, yes. > > Is it older? If its older with backported bug fixes, fine. However, if > ff has a big security bug found that, e.g. lets some remote yahoo read > your local files, can anything on openbsd mitigate that security hole? maybe, maybe not. no definate answer possible with that a vague description. I run -current anyway. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Running another OS under OpenBSD
On Tue, Dec 30, 2008 at 12:23:59PM +0100, Henning Brauer wrote: > * Douglas A. Tutty [2008-12-30 02:39]: > > > crappy applications are still crappy applications on OpenBSD, but > > > worse on pretty much any other OS. > > IIUC, with ports right now, to get security fixes you have to run > > current and then you end up getting the latest verions of the upstream > > the lack of -stable ports/packages is indeed very sad. > > > With this in mind, is it still a safe or fair assumption that if you > > only want a box that does web browsing in the most secure mode possible > > (for a web browsing box), lets say for something like internet banking, > > is OpenBSD + Firefox from ports going to be more secure than e.g. Debian > > base + Iceweasel (their off-brand Firefox)? > > I'd use the OpenBSD/ff combo over whateverlinux/ff any time, even if > the ff on OpenBSD is older, yes. Is it older? If its older with backported bug fixes, fine. However, if ff has a big security bug found that, e.g. lets some remote yahoo read your local files, can anything on openbsd mitigate that security hole? Doug.
Re: Running another OS under OpenBSD
On Tue, Dec 30, 2008 at 12:23 PM, Henning Brauer wrote: > * Douglas A. Tutty [2008-12-30 02:39]: > > > crappy applications are still crappy applications on OpenBSD, but > > > worse on pretty much any other OS. > > IIUC, with ports right now, to get security fixes you have to run > > current and then you end up getting the latest verions of the upstream > > the lack of -stable ports/packages is indeed very sad. > > What is needed to get -stable ports? Maintainers to watch the changes in -current and apply them to a -stable ports tree?
Re: Running another OS under OpenBSD
* Douglas A. Tutty [2008-12-30 02:39]: > > crappy applications are still crappy applications on OpenBSD, but > > worse on pretty much any other OS. > IIUC, with ports right now, to get security fixes you have to run > current and then you end up getting the latest verions of the upstream the lack of -stable ports/packages is indeed very sad. > With this in mind, is it still a safe or fair assumption that if you > only want a box that does web browsing in the most secure mode possible > (for a web browsing box), lets say for something like internet banking, > is OpenBSD + Firefox from ports going to be more secure than e.g. Debian > base + Iceweasel (their off-brand Firefox)? I'd use the OpenBSD/ff combo over whateverlinux/ff any time, even if the ff on OpenBSD is older, yes. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Running another OS under OpenBSD
On Tue, Dec 23, 2008 at 5:34 AM, Henning Brauer wrote: > * Douglas A. Tutty [2008-12-23 05:45]: > > On Tue, Dec 23, 2008 at 02:41:08AM +0100, Henning Brauer wrote: > > > * Jussi Peltola [2008-12-11 20:52]: > > > > On Thu, Dec 11, 2008 at 10:30:50AM -0800, Jeff_1981 wrote: > > > many thing from ports are patched or otherwise modified for security > > > reasons, and many things are deliberately NOT in ports due to security > > > considerations. nontheless there is truth in your above statement; > > > averaged things from ports are not on the same level as openbsd. > > > > Has anybody done any comparisons to see how things from ports > > (especially commone things like firefox) compare to the competition's > > packages (rpms, debs, whatever)? I know that the ports don't get > > audited like base, but then I don't think anyone else's does either. > > > > In other words, if you need a box with multiple third-party apps, (lets > > say that none of them are server apps), (eg, firefox, a window manager or > > DTE, mutt, LaTex, gv, a pdf reader), which box would be more secure > > (with the same admin): OpenBSD with ports or a Linux (e.g. Debian)? > > easy - OpenBSD. Linux doesn't have propolice, randomized malloc/mmap, > randomized library addresses etc yadda yadda yadda. > > crappy applications are still crappy applications on OpenBSD, but > worse on pretty much any other OS. However, using Debian's packages as an example, the Debian security team backports security fixes from upstream versions to the version in Debian Stable in an effort to fix security bugs without introducing new features (and perhaps new bugs) by just having users install the latest version. IIUC, with ports right now, to get security fixes you have to run current and then you end up getting the latest verions of the upstream package. For conceptual purposes, I'm thinking of Firefox as the upstream package in question since it seems to have the most frequent security fixes of any one upstream package. With this in mind, is it still a safe or fair assumption that if you only want a box that does web browsing in the most secure mode possible (for a web browsing box), lets say for something like internet banking, is OpenBSD + Firefox from ports going to be more secure than e.g. Debian base + Iceweasel (their off-brand Firefox)? Doug.
Re: Running another OS under OpenBSD
On 21:50:08 Dec 25, Marco Peereboom wrote: > Right, now tell me again about strl* > Also about the kernel source. -Girish
Re: Running another OS under OpenBSD
Every non retarded app uses it. glibc has not support for it because it wants to make stupid better. glibc is a total dissaster; I can't remember seeing much worse code. On Thu, Dec 25, 2008 at 11:29:46PM -0500, Felipe Alfaro Solana wrote: >On Thu, Dec 25, 2008 at 10:50 PM, Marco Peereboom >wrote: > > > RedHat has been shipping a version of glibc that does randomized > library > > addresses for, at least, a year. Libraries have to be compiled with > -fPIC, > > however, but that's the case for most. Not sure about other distros. > > Right, now tell me again about strl* > >What's so special about strl*? Anyone can implement it in glibc. But >applications must be changed anyways to use it. >-- >http://www.felipe-alfaro.org/blog/disclaimer/
Re: Running another OS under OpenBSD
On Thu, Dec 25, 2008 at 10:50 PM, Marco Peereboom wrote: > > RedHat has been shipping a version of glibc that does randomized library > > addresses for, at least, a year. Libraries have to be compiled with > -fPIC, > > however, but that's the case for most. Not sure about other distros. > > Right, now tell me again about strl* What's so special about strl*? Anyone can implement it in glibc. But applications must be changed anyways to use it. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Running another OS under OpenBSD
> RedHat has been shipping a version of glibc that does randomized library > addresses for, at least, a year. Libraries have to be compiled with -fPIC, > however, but that's the case for most. Not sure about other distros. Right, now tell me again about strl*
Re: Running another OS under OpenBSD
On Wed, Dec 24, 2008 at 11:13 AM, Henning Brauer wrote: > * Felipe Alfaro Solana [2008-12-24 06:17]: > > > easy - OpenBSD. Linux doesn't have propolice, randomized malloc/mmap, > > > randomized library addresses etc yadda yadda yadda. > > RedHat has been shipping a version of glibc that does randomized library > > addresses for, at least, a year. > > wow. one thing out of dozens we do. sure a killer argument. Who said this is a killer argument? I was just pointing out that nearly any mainstream OS currently has randomized library address space. > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Running another OS under OpenBSD
* Felipe Alfaro Solana [2008-12-24 06:17]: > > easy - OpenBSD. Linux doesn't have propolice, randomized malloc/mmap, > > randomized library addresses etc yadda yadda yadda. > RedHat has been shipping a version of glibc that does randomized library > addresses for, at least, a year. wow. one thing out of dozens we do. sure a killer argument. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Running another OS under OpenBSD
On Tue, Dec 23, 2008 at 12:34 PM, Henning Brauer wrote: > * Douglas A. Tutty [2008-12-23 05:45]: > > On Tue, Dec 23, 2008 at 02:41:08AM +0100, Henning Brauer wrote: > > > * Jussi Peltola [2008-12-11 20:52]: > > > > On Thu, Dec 11, 2008 at 10:30:50AM -0800, Jeff_1981 wrote: > > > > > > That said, OpenBSD base services are extremely secure, compared to > the > > > > competition, when properly configured and patched. Note that no > security > > > > audits are done to software in the ports tree; you're on your own > with > > > > 3rd party software. > > > > > > many thing from ports are patched or otherwise modified for security > > > reasons, and many things are deliberately NOT in ports due to security > > > considerations. nontheless there is truth in your above statement; > > > averaged things from ports are not on the same level as openbsd. > > > > Has anybody done any comparisons to see how things from ports > > (especially commone things like firefox) compare to the competition's > > packages (rpms, debs, whatever)? I know that the ports don't get > > audited like base, but then I don't think anyone else's does either. > > > > In other words, if you need a box with multiple third-party apps, (lets > > say that none of them are server apps), (eg, firefox, a window manager or > > DTE, mutt, LaTex, gv, a pdf reader), which box would be more secure > > (with the same admin): OpenBSD with ports or a Linux (e.g. Debian)? > > easy - OpenBSD. Linux doesn't have propolice, randomized malloc/mmap, > randomized library addresses etc yadda yadda yadda. RedHat has been shipping a version of glibc that does randomized library addresses for, at least, a year. Libraries have to be compiled with -fPIC, however, but that's the case for most. Not sure about other distros. > crappy applications are still crappy applications on OpenBSD, but > worse on pretty much any other OS. > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Running another OS under OpenBSD
Lets not forget Debian maintainers who think entropy is optional in encryption. On Tue, Dec 23, 2008 at 5:34 AM, Henning Brauer wrote: > * Douglas A. Tutty [2008-12-23 05:45]: > > On Tue, Dec 23, 2008 at 02:41:08AM +0100, Henning Brauer wrote: > > > * Jussi Peltola [2008-12-11 20:52]: > > > > On Thu, Dec 11, 2008 at 10:30:50AM -0800, Jeff_1981 wrote: > > > > > > That said, OpenBSD base services are extremely secure, compared to > the > > > > competition, when properly configured and patched. Note that no > security > > > > audits are done to software in the ports tree; you're on your own > with > > > > 3rd party software. > > > > > > many thing from ports are patched or otherwise modified for security > > > reasons, and many things are deliberately NOT in ports due to security > > > considerations. nontheless there is truth in your above statement; > > > averaged things from ports are not on the same level as openbsd. > > > > Has anybody done any comparisons to see how things from ports > > (especially commone things like firefox) compare to the competition's > > packages (rpms, debs, whatever)? I know that the ports don't get > > audited like base, but then I don't think anyone else's does either. > > > > In other words, if you need a box with multiple third-party apps, (lets > > say that none of them are server apps), (eg, firefox, a window manager or > > DTE, mutt, LaTex, gv, a pdf reader), which box would be more secure > > (with the same admin): OpenBSD with ports or a Linux (e.g. Debian)? > > easy - OpenBSD. Linux doesn't have propolice, randomized malloc/mmap, > randomized library addresses etc yadda yadda yadda. > > crappy applications are still crappy applications on OpenBSD, but > worse on pretty much any other OS. > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam > > -- /"\ASCII Ribbon Campaign \ /Respect for low technology. X Keep e-mail messages readable by any computer system. / \Keep it ASCII.
Re: Running another OS under OpenBSD
* Douglas A. Tutty [2008-12-23 05:45]: > On Tue, Dec 23, 2008 at 02:41:08AM +0100, Henning Brauer wrote: > > * Jussi Peltola [2008-12-11 20:52]: > > > On Thu, Dec 11, 2008 at 10:30:50AM -0800, Jeff_1981 wrote: > > > > That said, OpenBSD base services are extremely secure, compared to the > > > competition, when properly configured and patched. Note that no security > > > audits are done to software in the ports tree; you're on your own with > > > 3rd party software. > > > > many thing from ports are patched or otherwise modified for security > > reasons, and many things are deliberately NOT in ports due to security > > considerations. nontheless there is truth in your above statement; > > averaged things from ports are not on the same level as openbsd. > > Has anybody done any comparisons to see how things from ports > (especially commone things like firefox) compare to the competition's > packages (rpms, debs, whatever)? I know that the ports don't get > audited like base, but then I don't think anyone else's does either. > > In other words, if you need a box with multiple third-party apps, (lets > say that none of them are server apps), (eg, firefox, a window manager or > DTE, mutt, LaTex, gv, a pdf reader), which box would be more secure > (with the same admin): OpenBSD with ports or a Linux (e.g. Debian)? easy - OpenBSD. Linux doesn't have propolice, randomized malloc/mmap, randomized library addresses etc yadda yadda yadda. crappy applications are still crappy applications on OpenBSD, but worse on pretty much any other OS. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Running another OS under OpenBSD
On Tue, Dec 23, 2008 at 02:41:08AM +0100, Henning Brauer wrote: > * Jussi Peltola [2008-12-11 20:52]: > > On Thu, Dec 11, 2008 at 10:30:50AM -0800, Jeff_1981 wrote: > > That said, OpenBSD base services are extremely secure, compared to the > > competition, when properly configured and patched. Note that no security > > audits are done to software in the ports tree; you're on your own with > > 3rd party software. > > many thing from ports are patched or otherwise modified for security > reasons, and many things are deliberately NOT in ports due to security > considerations. nontheless there is truth in your above statement; > averaged things from ports are not on the same level as openbsd. Has anybody done any comparisons to see how things from ports (especially commone things like firefox) compare to the competition's packages (rpms, debs, whatever)? I know that the ports don't get audited like base, but then I don't think anyone else's does either. In other words, if you need a box with multiple third-party apps, (lets say that none of them are server apps), (eg, firefox, a window manager or DTE, mutt, LaTex, gv, a pdf reader), which box would be more secure (with the same admin): OpenBSD with ports or a Linux (e.g. Debian)? Doug.
Re: Running another OS under OpenBSD
* Jussi Peltola [2008-12-11 20:52]: > On Thu, Dec 11, 2008 at 10:30:50AM -0800, Jeff_1981 wrote: > > Dear All, > > > > Please can you indicate me how to run Windows or Linux under OpenBSD ? > > Under Linux for example there is possibility to virtualize another OS. > > If the other OS is hacked from the web does it compromizes the security of > > OpenBSD ? > > Who cares; if your service gets hacked, it doesn't help to keep the > underlying OS clean, your service is still compromised. if you run $random_crap_third_party_service on openbsd which is vulnerable there is still a good chance the security measures openbsd applies prevent successfull exploitation. it cannot be 100%, of course. > This list seems > to generally not recommend virtualization if security is important, and > is especially critical of any claim that virtualization is going to > improve (and not reduce) security, since it is a new, not-too-well-known > and complex technology. virtualization at its current state of the art (art? hah.) assuredly reduces security. actually, "reduces" is not a strong enough word, it is way worse. > > Another question is if I run a server under OpenBSD is this impossible to > > hack it from the web ? impossible is impossible. > > The standard install of OpenBSD has no security holes anymore the standard install of -current OpenBSD never had known exploitable holes for prolonged timeframes. the very few short timeframes can of course suffice for exploitation, and there might be issues we were or even are not aware of. > > if I > > understand, does this mean noone can hack it from the web ? what about an > > OpenBSD on which wa have activated one or more services, like mail server / > > web server and file sharing for within network (if used as NAS / server as > > example ? > Nobody has claimed OpenBSD has no security holes; it is quite possible > (almost certain) there are some that have not been found yet. it is far from "almost certain". nobody can give guarantees of course, and that is important to keep in mind. > Enabling services will, of course, make you more vulnerable. _potentially_ more vulnerable. > The OpenBSD > base services are well audited and should be secure, but nobody > guarantees they have no holes, and certainly nobody will claim it is > "un-hackable". There may be holes in OpenBSD or the software you run on > it, and if you use "kitty" for a root password there is nothing OpenBSD > can do to help you. yup. > That said, OpenBSD base services are extremely secure, compared to the > competition, when properly configured and patched. Note that no security > audits are done to software in the ports tree; you're on your own with > 3rd party software. many thing from ports are patched or otherwise modified for security reasons, and many things are deliberately NOT in ports due to security considerations. nontheless there is truth in your above statement; averaged things from ports are not on the same level as openbsd. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Running another OS under OpenBSD
patric conant wrote: I'm sorry but I am a little foggy, is kqemu a kernel module, is it fairly straightforward to get working, or do you really have to alter your openbsd installation a lot, and does it deliver the 8X- 10X performance increase over qemu on openbsd that it does on other platforms. I suppose what I am really getting at is: I thought kqemu was a Linux thing. Kqemu exists for OpenBSD and does speed up things like `md5 -tt' approximately 8 times here. However, at the very least, kqemu has major issues on multiprocessor systems. I dont run qemu on non-mp systems anymore, but its reputation is not the best in general. /Alexander
Re: Running another OS under OpenBSD
I'm sorry but I am a little foggy, is kqemu a kernel module, is it fairly straightforward to get working, or do you really have to alter your openbsd installation a lot, and does it deliver the 8X- 10X performance increase over qemu on openbsd that it does on other platforms. I suppose what I am really getting at is: I thought kqemu was a Linux thing. On 12/12/08, Mike Swanson wrote: > Felipe Alfaro Solana wrote: >> Does QEMU work under OpenBSD? But even if it does, it's probably too slow >> to >> use it in production. Also, it might contain bugs and crash, decrease the >> security of the host or guest, etc. If I were you and decided on using >> virtualization, I'd go with a proven, mature solution. I don't think QEMU >> is >> that mature or that it got enough exposure. >> > KQEMU has been ported to OpenBSD (see ports), it's rather fast though > I'm not sure if it's stable enough to really put your services in it.
Re: Running another OS under OpenBSD
Felipe Alfaro Solana wrote: Does QEMU work under OpenBSD? But even if it does, it's probably too slow to use it in production. Also, it might contain bugs and crash, decrease the security of the host or guest, etc. If I were you and decided on using virtualization, I'd go with a proven, mature solution. I don't think QEMU is that mature or that it got enough exposure. KQEMU has been ported to OpenBSD (see ports), it's rather fast though I'm not sure if it's stable enough to really put your services in it.
Re: Running another OS under OpenBSD
2008/12/12 Aram Havarneanu :
> On Thu, Dec 11, 2008 at 9:47 PM, Scott Francis wrote:
>> in theory, you could install the linux compatibility packages (see
>> compat_linux(8)) and run e.g. VMware Server as a platform for a
>> Windows VM. I haven't tried this myself yet (although it is on my list
>> of things to do the next time I'm bored).
>>
>
> It won't work. VMware needs to load Linux kernel modules.
> linux_compat(8) can run userspace applications only.
that makes sense (and it should have occurred to me, but it's been
about a year since I last installed VMware Server on Linux). Thanks
for the heads-up; you saved me at least a little bit of wasted time.
:)
cheers,
--
darkun...@{gmail.com,darkuncle.net} || 0x5537F527
http://darkuncle.net/pubkey.asc for public key
Re: Running another OS under OpenBSD
On Thu, Dec 11, 2008 at 9:47 PM, Scott Francis wrote: > in theory, you could install the linux compatibility packages (see > compat_linux(8)) and run e.g. VMware Server as a platform for a > Windows VM. I haven't tried this myself yet (although it is on my list > of things to do the next time I'm bored). > It won't work. VMware needs to load Linux kernel modules. linux_compat(8) can run userspace applications only. -- Aram Hcvcrneanu
Re: Running another OS under OpenBSD
On Thu, Dec 11, 2008 at 09:04:48PM +0100, Toni Mueller wrote: > > On Thu, Dec 11, 2008 at 10:30:50AM -0800, Jeff_1981 wrote: > > > Please can you indicate me how to run Windows or Linux under OpenBSD ? > > > Under Linux for example there is possibility to virtualize another OS. > > > If the other OS is hacked from the web does it compromizes the security of > > > OpenBSD ? > > this is generally possible. If you kept an eye on the virtualization > methods under Linux, you will have encountered several cases where it > was possible for virtual machines to break out of their compartment, > and invade the host or other guest systems. Search eg. for "blue pill" > if you want more details. As a footnote: Rafal Wojtczuk "recently" (October, 2008) published an interesting paper demonstrating an escape from a Xen guest to dom0 on i386 Fedora 8.[1] - Jukka. [1] http://invisiblethingslab.com/pub/xenfb-adventures-10.pdf
Re: Running another OS under OpenBSD
On Thu, Dec 11, 2008 at 7:30 PM, Jeff_1981 wrote: > Dear All, > > Please can you indicate me how to run Windows or Linux under OpenBSD ? > Under Linux for example there is possibility to virtualize another OS. > If the other OS is hacked from the web does it compromizes the security of > OpenBSD ? Does QEMU work under OpenBSD? But even if it does, it's probably too slow to use it in production. Also, it might contain bugs and crash, decrease the security of the host or guest, etc. If I were you and decided on using virtualization, I'd go with a proven, mature solution. I don't think QEMU is that mature or that it got enough exposure. > Another question is if I run a server under OpenBSD is this impossible to > hack it from the web ? Nothing is impossible (or impossible is nothing). Even operating systems certified as EAL4+ have been hacked, and some of them have horrible security tracks, despite being certified. No software is bug-free, so forget about the concept of "unbreakable" or "unhackable". It does not exist at all. > The standard install of OpenBSD has no security holes anymore if I > understand, does this mean noone can hack it from the web ? what about an > OpenBSD on which wa have activated one or more services, like mail server / > web server and file sharing for within network (if used as NAS / server as > example ? Being hackable from the Web is just too vague. Your system might have SSH enabled and a poor password for a particular user, such as that a hacker can log in and, from there, launch a local attack against the system (local exploit instead of a remote exploit, like crashing the box), launching a DoS attack, etc. As usual, the security of the system depends on the weakest chain. That's typically the user, or a poor password, or an unpatched system, or a misconfigured system, or an unqualified administrator, or ... :) Thanks a lot for your help. > > Regards, > JF > -- > View this message in context: > http://www.nabble.com/Running-another-OS-under-OpenBSD-tp20961548p20961548.html > Sent from the openbsd user - misc mailing list archive at Nabble.com. > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Running another OS under OpenBSD
Hi, On Thu, 11.12.2008 at 21:35:36 +0200, Jussi Peltola wrote: > On Thu, Dec 11, 2008 at 10:30:50AM -0800, Jeff_1981 wrote: > > Please can you indicate me how to run Windows or Linux under OpenBSD ? > > Under Linux for example there is possibility to virtualize another OS. > > If the other OS is hacked from the web does it compromizes the security of > > OpenBSD ? this is generally possible. If you kept an eye on the virtualization methods under Linux, you will have encountered several cases where it was possible for virtual machines to break out of their compartment, and invade the host or other guest systems. Search eg. for "blue pill" if you want more details. > Who cares; if your service gets hacked, it doesn't help to keep the > underlying OS clean, your service is still compromised. This is true, but also true is that recovery from a compromized virtual machine is generally much faster than recovery from a compromized physical machine, provided you have a clean image lying around, and you are sure that the host is not compromized. But noone can guarantee you that. -- Kind regards, --Toni++
Re: Running another OS under OpenBSD
On Thu, Dec 11, 2008 at 10:30 AM, Jeff_1981 wrote:
> Dear All,
>
> Please can you indicate me how to run Windows or Linux under OpenBSD ?
> Under Linux for example there is possibility to virtualize another OS.
in theory, you could install the linux compatibility packages (see
compat_linux(8)) and run e.g. VMware Server as a platform for a
Windows VM. I haven't tried this myself yet (although it is on my list
of things to do the next time I'm bored).
> If the other OS is hacked from the web does it compromizes the security of
> OpenBSD ?
a guest OS is always vulnerable to flaws in the host (because the host
controls it), to varying degrees.
> Another question is if I run a server under OpenBSD is this impossible to
> hack it from the web ?
nothing's impossible. :) Even if your host OS (OpenBSD) is highly
secure, if your guest is less so and you expose it to the network, it
could be attacked over the same channels it uses to communicate with
the network. The only truly secure machine is one that is not
connected to any network and has no physical access.
> The standard install of OpenBSD has no security holes anymore if I
> understand, does this mean noone can hack it from the web ? what about an
> OpenBSD on which wa have activated one or more services, like mail server /
> web server and file sharing for within network (if used as NAS / server as
> example ?
clearly, you'd have to evaluate the security of any services or
applications you're running on the network independently of the OS
they're running on top of.
--
darkun...@{gmail.com,darkuncle.net} || 0x5537F527
http://darkuncle.net/pubkey.asc for public key
Re: Running another OS under OpenBSD
On Thu, Dec 11, 2008 at 10:30:50AM -0800, Jeff_1981 wrote: > Dear All, > > Please can you indicate me how to run Windows or Linux under OpenBSD ? > Under Linux for example there is possibility to virtualize another OS. > If the other OS is hacked from the web does it compromizes the security of > OpenBSD ? Who cares; if your service gets hacked, it doesn't help to keep the underlying OS clean, your service is still compromised. This list seems to generally not recommend virtualization if security is important, and is especially critical of any claim that virtualization is going to improve (and not reduce) security, since it is a new, not-too-well-known and complex technology. > Another question is if I run a server under OpenBSD is this impossible to > hack it from the web ? > The standard install of OpenBSD has no security holes anymore if I > understand, does this mean noone can hack it from the web ? what about an > OpenBSD on which wa have activated one or more services, like mail server / > web server and file sharing for within network (if used as NAS / server as > example ? Nobody has claimed OpenBSD has no security holes; it is quite possible (almost certain) there are some that have not been found yet. This applies to any software that is not created and used by perfect beings that never make any mistakes. That said, there are relatively few holes in the OpenBSD base system. Enabling services will, of course, make you more vulnerable. The OpenBSD base services are well audited and should be secure, but nobody guarantees they have no holes, and certainly nobody will claim it is "un-hackable". There may be holes in OpenBSD or the software you run on it, and if you use "kitty" for a root password there is nothing OpenBSD can do to help you. That said, OpenBSD base services are extremely secure, compared to the competition, when properly configured and patched. Note that no security audits are done to software in the ports tree; you're on your own with 3rd party software. Still, whatever it is, it certainly isn't unhackable. Anyone who claims so is lying, or talking about a machine that is turned off and not connected to a network. -- Jussi Peltola
Running another OS under OpenBSD
Dear All, Please can you indicate me how to run Windows or Linux under OpenBSD ? Under Linux for example there is possibility to virtualize another OS. If the other OS is hacked from the web does it compromizes the security of OpenBSD ? Another question is if I run a server under OpenBSD is this impossible to hack it from the web ? The standard install of OpenBSD has no security holes anymore if I understand, does this mean noone can hack it from the web ? what about an OpenBSD on which wa have activated one or more services, like mail server / web server and file sharing for within network (if used as NAS / server as example ? Thanks a lot for your help. Regards, JF -- View this message in context: http://www.nabble.com/Running-another-OS-under-OpenBSD-tp20961548p20961548.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
