OpenBSD is notably not vulnerable, because its
SIGALRM handler calls syslog_r(), an async-signal-safer version of
syslog() that was invented by OpenBSD in 2001.
For a word like 'safe', or at least in CS, I would assume that the 'safe' one actually is 'safest'; that 'safer' is ehh it's not safe but it's an improvement on the unsafe one. It's safer.
One example to help think about this. Say you have 3 friends. Your friend Bob has a net worth of $1 - he is the least rich. Your friend Alex has a net worth $10 - he is richer. Another friend Ben has a net worth of $100 - he is the richest. Richest here is comparative against all 3 of them, but none of them are actually rich. Bill Gates is rich. Bezos is rich. Musk is rich. Someone with a net worth of $100 isn't.
You can still have comparisons between the rich too, so Bezos is richer than Gates and he's also the richest if you're just considering the pair. But add Musk to the mix, and he's no longer the richest.
I guess that last example looks like you have two attributes - rich as some objective "has a lot of money" and comparatively rich (richer, richest). For safe, it's kind of similar, except that as soon as you are saying one thing is safer than the other, then you are implicitly acknowledging that there are areas where the thing isn't safe, and if you're admitting that you can't also call it safe without contradicting yourself.
A better example is "pure water". By it's definition, that's just H2O molecules floating around with nothing else.
If you add a single grain of salt to a glass of that water, it's no longer pure. Drinking it you probably wouldn't notice, and some people might colloquially call it "pure", but we know it isn't because we added some salt to it.
If you add a teaspoon of salt to to a different glass of pure water, it's also no longer pure, and now most people would probably notice the salt and recognise it's not pure.
If you add a tablespoon of salt to to a different glass of pure water, it's definitely not pure and you probably wouldn't want to drink it either.
You could say the teaspoon of salt glass is purer than the tablespoon of salt glass, the grain of salt glass is purer than both of them and so the purest of the three. And yet, we know that it isn't pure water, because we added something else to it.
So pure > purest > purer > less pure. Also note that I was required to use "less pure" for the last one, because all of them except pure are "impure" or "not pure", even though were what I originally thought of writing.
It's a bit ambiguous and depends on context, which is why I said 'at least in CS', since for whatever the particular topic is 'safe' and 'unsafe' is likely to have a fairly strict meaning.
In general you're right. For safety it's just that 'safest' implies some sort of practicality: the best - most safe - from a set of options. But the safest option isn't necessarily strictly safe.
(Say your dog's stuck on a roof on a windy day, you decide the safest option is scaffolding (safer than a ladder or free climbing), but it's not safe, you just insist on rescuing your dog.)
Wouldn't a good systematic evaluation need (or at least benefit from) a few actual working exploits/PoCs? I keep asking this as a long-time OpenBSD user who is genuinely interested in seeing it done, but so far everyone who has said "it's flawed" also reserved themselves the convenience of not having to prove their point in a practical sense.
Let's say I show up on this message board and say my house is more secure than a bank vault, because I have a special laser in my attic that vaporizes attackers if they come in my house. Would you believe me? Would you bother to even visit my house to prove me wrong? I mean, I can claim all I want that nobody has robbed my house, but at some point there is actually nothing of value here that means nobody has tried and nobody actually wants to try.
> Wouldn't a good systematic evaluation need (or at least benefit from) a few actual working exploits/PoCs?
Sure, see any of the previous exploits for sshd, or any other software shipped in the OpenBSD default install.
> I keep asking this as a long-time OpenBSD user who is genuinely interested in seeing it done, but so far everyone who has said "it's flawed" also reserved themselves the convenience of not having to prove their point in a practical sense.
The point is they have very little in the way of containing attackers and restricting what they can. Until pledge and unveil, almost all their focus in on eliminating bugs which hey, great, but let's have a little more in case you miss a bug and someone breaks in, eh?
An insecure dockerized webserver protected with SELinux is safer than Apache on a default OpenBSD install.
> Sure, see any of the previous exploits for sshd, or any other software shipped in the OpenBSD default install.
Would you like to point to one that successfully utilizes a weakness in OpenBSD itself, which is the topic and implied statement of the video, rather than a weakness in some application running under the superuser?
Just to underline, I'm not interested in discussing the hows and whys of containing arbitrary applications where one or more portions are running under euid 0. I'm interested in seeing OpenBSD successfully attacked by an unprivileged process/user.
Now to be fair, sshd on OpenBSD is part of OpenBSD rather than an add-on application and I think it would be fair to count exploits in it against the OS, if it had vulnerabilities there.
It's the way most distros handled security vulnerabilities, though. Without looking, I'm certain Ubuntu has a security advisory for that vulnerability.
So I agree it might not be fair on the face of it or if doing a technical analysis or something, but if you want to compare OpenBSD security to other Linux distros by vulnerability count, (and so many who don't know better do), then vulnerabilities should be measured in the same way across both systems.
> Would you like to point to one that successfully utilizes a weakness in OpenBSD itself, which is the topic and implied statement of the video, rather than a weakness in some application running under the superuser?
I'm sorry, what? What kind of nonsense distinction is this?
Are you trying to very disingenuously try and claim only kernel exploits count as attacks against OpenBSD?
Why the hell wouldn't a webserver zero-day count? If an OS that claims to be security focused can't constrain a misbehaving web server running as root then it's sure as hell not any type of secure OS.
> I'm interested in seeing OpenBSD successfully attacked by an unprivileged process/user.
You realize there is very little that OpenBSD does to protect against LPE if there is any LPE vuln on their system, right? Surely you're not just advocating for OpenBSD based on their own marketing? If you want to limit the goalposts to kernel vulns or LPE's that already require an account you're free to do so, but that's rather silly and not remotely indicative of real world security needs.
If it's a security focused OS, it should provide ways to limit the damage an attacker can do. OpenBSD had very very little in that regard and still does, although things are slightly better now and they have a few toys.
And hey, fun fact, if you apply the same OpenBSD methodology and config of having a barebones install, you'll suddenly find at least dozens of other operating systems with equivalent or better track records.
Plan 9 has had less vulnerabilities than OpenBSD and has had more thought put into its security architecture[0], so by your metric it's the more secure OS, yeah?
> I'm sorry, what? What kind of nonsense distinction is this?
> Are you trying to very disingenuously try and claim only kernel exploits count as attacks against OpenBSD?
Not at all. I clearly underlined that I'm not looking for cases fitting that specific scenario. The only moving of goalposts is entirely on your behalf by very disingenously misrepresenting my question in a poor attempt to try make your answer or whatever point fit. And on top of that, the tasteless pretending to be baffled...
> Not at all. I clearly underlined that I'm not looking for cases fitting that specific scenario
The thing is, we're trying to talk about the security of OpenBSD compared to its competition.
But you're trying to avoid letting anyone do that by saying only an attack against something in the default install you can do with a user account counts, which is absolutely ridiculous.
I'm not moving the goalposts nor am I pretending in any sense. Your approach just doesn't make sense, measure or indicate anything useful or relevant about the security of OpenBSD. I stated so and explained why.
> "The thing is, we're trying to talk about the security of OpenBSD compared to its competition."
> "But you're trying to avoid letting anyone do that by saying only an attack against something in the default install you can do with a user account counts, which is absolutely ridiculous."
I don't know who "we" are. The question I asked another poster, where you decided to butt in, regarded escalation from an unprivileged position and nothing else.
Nobody but yourself said anything along the lines of "only attacks against things in the default install 'count'", nor drew drew up comparisons against "the competition". You clearly have some larger axe to grind, but you're doing it in a discourse playing out only in your head, without reading what others actually wrote.
We are the people having this discussion. That should be obvious. It's kind of funny you accused me of pretending to be baffled, lol. The irony.
You certainly had no issue discussing this top with me until I called out your claims/methodology as nonsense.
> The question I asked another poster, where you decided to butt in,
Welcome to the Internet!
> regarded escalation from an unprivileged position and nothing else.
Yes. And I pointed out why this is an absolutely nonsense approach. You realize getting root on OpenBSD is significantly easier than several other setups or Linux distro's you've probably never heard of, though, right?
So, what is it? Afraid to be wrong? You brought too much into the OpenBSD marketing, so now it's a sunk cost for your ego?
> Nobody but yourself said anything along the lines of "only attacks against things in the default install 'count'", nor drew drew up comparisons against "the competition".
This is exactly what you imply when you want to limit attacks to LPE's that require a user account, lol.
> You clearly have some larger axe to grind, but you're doing it in a discourse playing out only in your head, without reading what others actually wrote.
No axe to grind. Just calling out bad claims and reasoning.
Even now, you've successfully got us discussing semantics and nonsense instead of you actually addressing the bs claims you made. Stellar job.
You've been posting huge numbers of flamewar comments lately. That's not what HN is for, and destroys what it is for. If you keep this up, we're going to have to ban you. I don't want to do that, so if you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules from now on, we'd appreciate it.
By the time a commenter gets to violating the site guidelines as egregiously as this, it's almost always the case that they should have stopped posting a lot sooner.
