BSD DevCenter
oreilly.comSafari Books Online.Conferences.


An Overview of OpenBSD Security
Pages: 1, 2

Code auditing

One of the largest problems with systems such as Linux is the inclusion of unchecked third party software. If a vulnerability or security issue arises, the third party must release a patch and the operating system vendor must then redistribute this patch to their users. Not only this, but the third party software is not in any way audited or checked for quality by the operating system vendors and as such can be vulnerable for a long time before any sort of fix is available to users (as happened numerous times with wu-ftpd). One of the major steps forward for OpenBSD was when the entire source tree was audited for buffer overflows and vulnerabilities. This has been constantly maintained and has resulted in a product unparalleled in terms of security and system integrity. In saying this, third party software is usually necessary for the operation of a functional system, so OpenBSD makes it available via the ports tree, a mechanism for downloading, installing, and configuring third party software known to work under OpenBSD or modified to do so. I won't go into details here of configuring the ports tree -- this has been broadly documented elsewhere.

Security updates

As opposed to the majority of commercial vendors and even some other open source projects, OpenBSD takes a "full disclosure" approach to any bugs or vulnerabilities found in the source tree. This means that bugs are reported immediately to users in their entirety, generally with a patch or workaround included. The outcome of this is a system with no hidden bugs or "features" shielded from the users, a prime example of which is the +.htr bug recently in Microsoft IIS. Users wishing to monitor security updates as they occur can subscribe to the security-announce mailing list, or monitor the patches posted to the OpenBSD errata page. The patches provided are generally a source tarball, which can be simply installed over the top of an existing system. An example of this is the installation of the recent ftpd remote-root exploit patch:

1. Download the patch:


2. Place the patch in your source root directory (usr/src):

mv 019_ftpd.patch /usr/src

3. Apply the patch to the source tree:

patch -p0 < 019_ftpd.patch

4. Recompile ftpd:

cd libexec/ftpd
make obj && make depend && make && make install

5. Restart ftpd (which in this case has been started from inetd):

ps aux | grep inetd
root 19983 0.0 0.4 72 264 ?? Ss 29May00 3:03.68 inetd
kill -1 19983

As has been demonstrated, OpenBSD's "Secure by default" slogan holds merit in all aspects of the system. Hopefully other open source projects (or -- dare I suggest it -- commercial vendors) will start to take onboard this holistic security approach to their own systems. Next week's article, which is the final in the OpenBSD Explained Networking series, will look at the future of OpenBSD networking, examining developments such as ipv6 support, as well as other possibilities for future releases.

David Jorm has been involved with open source and security projects for several years, originally with OpenBSD and Debian GNU/Linux, now with the development team at

Read more OpenBSD Explained columns.

Discuss this article in the Operating Systems Forum.

Return to the BSD DevCenter.


Sponsored by: