Seccomp was never actually usable: https://blog.habets.se/2022/03/seccomp-unsafe-at-any-speed.h...
It's barely usable by itself but I don't think it's an inherent problem of seccomp-bpf, rather the lack of libc support. Surely the task of "determine which syscalls are used for feature X" belongs in the software that decides which syscalls to use for feature X.
In fact, Cosmopolitan libc implements pledge on Linux on top of seccomp-bpf: https://justine.lol/pledge/
The "what does the equivalent of pledge(stdio) actually mean?" doesn't have to actually be on the kernel side. But it's complicated by the fact that on Linux, syscalls can be made from anywhere. On OpenBSD syscalls are now only allowed from libc code.
So even if one uses Cosmopolitan libc, if you link to some other library that library may also do direct syscalls. And which syscalls is does, and under which circumstances, is generally not part of the ABI promise. So this can still break between semver patch version upgrades.
Like if a library used to just not write debug logs by default, but then changed so that they are written, but to /dev/null, then there's no way to inform application code for that library, much less update it.
If you ONLY link to libc, then what you said will work. But if you link to anything else (including using LD_PRELOAD), then all bets are off. And at the very least you'll also be linking to libseccomp. :-)
If libc were the only library in existence, then I'd agree with your 100%.
Well but isn't that a more general problem with pledge? I can link to libfoo, drop rpath privileges, and it'll work fine until libfoo starts lazily loading /etc/fooconf (etc.)
A nice thing about pledge is that it's modularized well enough so such problems don't occur very often, but I'd argue it's not less common of an issue than "libfoo started doing raw syscalls." The solution is also the same: a) ask libfoo not to do it, or b) isolate libfoo in an auxiliary process, or c) switch to libbar.
> And at the very least you'll also be linking to libseccomp. :-)
libseccomp proponents won't tell you this, but you can in fact use seccomp without libseccomp, as does Cosmopolitan libc. All libseccomp does is abstract away CPU architecture differences, which a libc already has to do by itself anyway.
(In my project, I got annoyed enough by the kernel header dependency that I just replaced libseccomp with a shell script: https://codeberg.org/bptato/chawan/src/commit/cad5664fc0aa10... although this might have gotten me a place reserved in hell.)
No, for two reasons: 1) pledge() lets you give high level "I just want to do I/O on what I already have", and it doesn't matter if new syscalls "openat2" (should be blocked) or "getrandom" (should be allowed) are created. (see the `newfstatat` example on printf). And 2) OpenBSD limits syscalls to be done from libc, and libc & kernel are released together. Other libs need to go through libc.
Yes, if libfoo starts doing actual behavioral changes like suddenly opening files, then that's inherently indistinguishable from a compromised process. But I don't think that we need to throw out the baby with that bathwater.
And it's not just about libfoo doing raw syscalls. `unveil()` allows blocking off the filesystem. And it'll apply to open, creat, openat, openat2, unlink, io_uring versions of the relevant calls (if OpenBSD had it), etc…
But yes, if libc could ship its best-effort pledge()/unveil(), that also blocks any further syscalls (in case the kernel is newer), that'd be great. But this needs to be part of (g)libc.
Though another problem is that it doesn't help child processes with a statically compiled newer libc, that quite reasonably wants to use the newer syscalls that the kernel has. OpenBSD decided to simply not support statically linked libc, but musl (and Cosmopolitan libc?) have that as an explicit goal.
So yeah, because they mandate syscalls from libc, ironically OpenBSD should have been able to make pledge/unveil a libc feature using a seccomp-like API, or hell, implemented entirely in user space. But Linux, which has that API, kinda can't.
(ok, so I don't know how strictly OpenBSD mandates the exact system libc, so maybe what I just said would open a vulnerability)
You can do this with seccomp if you're libc. A new syscall is of no consequence for the seccomp filter unless libc starts using it, in which case libc can just add it to the filter. (Of course the filter has to be an allow-list.)
> And 2) OpenBSD limits syscalls to be done from libc, and libc & kernel are released together. Other libs need to go through libc.
That avoids one failure mode, but I think you assign too much importance to it. If your dependency uses a raw syscall (and let's be honest this isn't that common), you'll see your program SIGSYS and add it manually.
If you have so many constantly changing dependencies that you can't tell/test which ones use raw syscalls and when, you have no hope of successfully using pledge either.
> But I don't think that we need to throw out the baby with that bathwater.
We agree here, just not on which baby :)
> And it's not just about libfoo doing raw syscalls. `unveil()` allows blocking off the filesystem.
You're right, seccomp is unsuitable for implementing unveil because it can't inspect contents of pointers. I believe Cosmopolitan uses Landlock for it.
> Though another problem is that it doesn't help child processes with a statically compiled newer libc
If you're trying to pledge a program written by somebody else, expect problems on OBSD too because pledge was not designed for that. (It can work in many cases, but that's kind of incidental.)
If it's your own program, fine, but that means you're compiling your binaries with different libcs and then wat.
> So yeah, because they mandate syscalls from libc, ironically OpenBSD should have been able to make pledge/unveil a libc feature using a seccomp-like API, or hell, implemented entirely in user space. But Linux, which has that API, kinda can't.
My take is "it can, with caveats that don't matter in 99% the cases pledge is useful in." (Entirely in user space no, with seccomp yes.)
But compare how many applications execute untrusted remote programs to how many programs that have had security vulnerabilities. Or indeed, how much code.
What percentage of code runs in chrome/firefox's sandbox? 0.0001%?
Have you tried to create a seccomp ruleset for a real program? I have. There are too many variations between machines and code paths that you'll necessarily need to leave wide open doors through your policy. Sure, the more you disable the "luck" you manufacture in case of a bug, preventing exploitation. But no, it's not fit for purpose outside these extremely niche use cases.
That's understating the matter by a huge amount.
pf is easier to read and understand, easier to adjust, more dynamic, and works like every other firewall in the world not based on iptables.
But then again I've not run iptables for years. nftables has many benefits.
That really depends. You could argue a router is a server. OpenWRT has the default of WiFi off for security, which means that if the config is somehow hosed and you have to hard reset the router, you now have an inaccessible brick unless you happen to have a USB-Ethernet adapter on you.
Sensible defaults are much, much better than the absolutionist approach of "disable everything".
Edit: it's so funny to know that all the people slamming the downvote have never hit the brick wall of a dumb default. I hope you stay blessed like that!
And if someone is administering routers but don't have the hard-line equipment to configure them locally, I wish them well.
I'll bite. OpenBSD and OpenWRT are different things, and I'm honestly surprised to hear that tech matters enough to you to setup OpenWRT but not enough to own a desktop (or a laptop that doesn't skimp on ports)
Funnily enough I feel a BSD is much more suited to modems / routers, if it weren't for HW WiFi support. Yes, I know you can separate your routing and your access point onto different devices.
At any rate I'm just pointing out that that absolutionism is rarely the right answer. It's also pretty telling that people actually went through my comment history to downvote a few unrelated recent comments. People get angry when they have to adjust their assumptions.
As far as computing device goed, I prefer not lugging around a plastic brick. And one is bound to either lose or forget a dongle. In which case you get boned by OpenWRT's dumb default.
The reason for that default is that if they set up an open OpenWRT WiFi (or default passworded, think "OpenWRT2025"), in that split 5 minute window before you change it, some wardriver might login and mess with your network.
Obviously the chances of that are rather insignificant. And they could generate a default password based on the hardware. For the real security nuts they could tell them to build an image without default-on WiFi (currently they do the inverse).
People are downvoting because I'm making them realize they have to rethink their assumptions, and it is less painful to attack the messenger rather than actually do so. People these days are generally bad at not tying their identity to things and not taking it personal.
Not Linux, not Debian, Ubuntu.
Debian (provided you don't just dump a bunch of 3rd party repos) just upgrades cleanly, we have hundreds of servers that just run unattended-upgrade and get upgraded to new Debian version every 2 years.
The few Ubuntus we had had more problems.
Unattended upgrades could be configured to install more than the security release. Even with the stable release, one can add the official APT source for the Debian backports.
Fortunately, with the introduction of the syspatch(8) and sysupgrade(8) utilities this is much simpler than it used to be. And, release numbers are just sequential with one point number, i.e. 7.0 was just the next release after 6.9, nothing more is implied by the "major" number ticking up.
I think I’m a bit scarred when a docker upgrade took my entire stack down because of an api mismatch with portainer, so I’m trying to be present during upgrades.
Edit: I’m talking about Debian of course. I’m not familiar with OpenBSD.
I think you can also do unattended release upgrades by using the 'stable' release alias in sources. That will probably result in some stuff breaking since there will be package and configuration churn.
https://wiki.debian.org/AutomatedUpgrade
It is feasible to do if you prepare ahead of time, and you can even do automated offline upgrades with apt-offline and some scripting.
Mostly works fine apart from bugs in unattended-upgrades, or when my boot partition runs out of disk.
I run just lighttpd these days; used to run httpd before they decided the configuration must become even more complicated. I don't have any issues with lighttpd (admittedly only few people use it; most seem to now use nginx).
Update was also hit and miss on user's desktop machines, for a while ubuntu had a nasty habit of installing new kernel upgrades... without removing old ones, which eventually made boot run out of space and poor user usually had to give it to helpdesk to fix.
Tho tbh most of the problems in any distro with packages is "an user installed 3rd party repo that don't have well structured packages and it got messy".
Now in more of a position to pick for myself, and I wondered how you feel about the pros and cons of lighttpd? I remember quite liking its config at the time.
https://bootstrappable.org/ https://reproducible-builds.org/
I want to use OpenBSD for the next project I'm building. However, I can't wrap my head around the old way of doing deployments (before containers). People who've built production grade systems with OpenBSD:
1. How do you deploy software? 2. How do you manage fleets of servers? 3. How do you spin up/turn down servers from cloud providers? (I only know of Vultr who provided an OpenBSD option out of the box).
It's only practical for hobbyists. I used OpenBSD as a daily driver between 2001-2005. I fought, I suffered, I conquered, and I got tired of not being able to watch video on the web reliably and MacOS in those days was so clean and refreshing. I learned so much, though.
> I want to use OpenBSD for the next project I'm building.
I admire your open-mindedness. But ask yourself:
1. Do you want to have to upgrade fleets of servers every year with no exceptions for extended security support instead of 5 (or more if you're willing to pay) for LTS versions of Linux?
2. Who else will need to support it?
3. You will likely have worse performance if that matters.
> 1. How do you deploy software?
Honestly, not many people create their own services that run on OpenBSD. Those that do use old-school packaging and scripting. Tooling like ansible works.
> 2. How do you manage fleets of servers?
Ansible would be my go-to for classic fleets of servers.
> How do you spin up/turn down servers from cloud providers?
There are ports of cloud-init for OpenBSD. Creating images for third party OSes can be different levels of painful, depending on the cloud provider.
I'd like to see a more modern performant filesystem with OpenBSD but ffs has never really let me down. Capability for logical volumes and/or live resizing of partitions would be welcome as well.
I had a test case in mind while reading the documentation: running a custom web service with Nginx as a reverse-proxy. In the documentation, I couldn't find anything about creating a service. Are we supposed to write a frontend script (in ksh) that accepts various arguments (ie start/reload/...)? And what about the logs of this wrapper? And if I want an auto-restart when my program crashes, I have to find another tool that will wrap and monitor the process? I've done all this tedious work in Linux long ago, and I'm not willing to do it again.
If the question was "Why OpenBSD instead of Linux", I don't think documentation is a good argument. In fact, the only strong response I've read is "to try something a bit different and more niche".
complete, useful, well written and contently at hand.
The new 7.8 release should bring some more performance, haven't tested it yet though.
Remember the BSDs date from an era when you only had one core in the CPU.
Might be a leading cause of what you're seeing.
You can turn on hyperthreading if you need/want it: https://www.openbsd.org/faq/faq10.html#SMT
Also, it's likely already in a VM.
I moved some stuff away from OpenBSD when the release of Linux 2.4 implemented all missing firewall functionality - but kept others still due to the early issues with the 2.4 kernel. But by the time 2.5 was getting decent - roughly a year before the 2.6 release - in most cases just using Linux with a custom 2.5 kernel was the better option.
Now that I think of it, when I switched from DOS to Linux it was already because I found manpages amazing. Maybe I've just a soft spot for documentation.
Yes if raw performance is your top priority, linux wins. But for a desktop or general-purpose server, that's not the most important thing for me.
I see some reasons:
- the BSD license
- the system is composed of pieces written to work together, it is built from start up as a coherent operating system as opposed to things cobbled together like other UNIX-like OS-es do
incidentally, the requirement of the GPL is not to upstream your stuff, but to offer to make the modified source available to anyone you distribute the code to. Often the same in practice, but does not have to be.
I use FreeBSD+ZFS for storage servers. I definitely want to use ZFS for these and I don't think Linux+ZFS is as good a combination.
It depends on what you want to do. If you want a typical laptop with a desktop environment, then FreeBSD might not be a good choice. Horses for courses.
I'd love it if Gentoo/BSD were a thing once again, I like the BSD concepts but there's nothing like Portage on BSD so far - afaik pkgsrc is nowhere close to it.
Honestly myself, I prefer NetBSD approaches to many things, or for Linux Alpine, which is perfectly small, minimal and secure by default.
Single source tree for kernel and userland
"BSD from scratch" is less work than Linux from scratch
And the point of "why waste time for captcha for static file" still stands, it's not like there is comment section for bots to abuse
Don't blame this on site operators, this is the fault of careless LLM operators knocking down everybody's walls doors and windows to "learn" from their content.
You mistake dismiss with "do opposite"
Unfortunately I also kind of lost faith in the BSD variants. There are a few minor things such as PC-BSD suddenly vanishing, or years before NetBSD on their mailing list admitting that Linux outperformed their "runs on any toaster and other gimmick" strategy. But one of the key issues I had was this:
I installed it (FreeBSD) on my second computer. I went out of my apartment and returned hours later. Well, the FreeBSD machine was no longer running; my linux machine on the other hand is running non-stop for months, literally. This may be a fluke, perhaps the computer had a problem - I am not saying this is really what the BSDs are all about, as I also had them installed before. But then I also asked myself "why would I want to bother with the BSDs, if Linux simply runs better?". And I haven't found a good, convincing answer to that for me to rationalise why I'd still be using the BSDs. Note: I also use Linux in a non-standard way, e. g. versioned AppDirs, but essentially Linux is simply more flexible than the BSDs (that is my opinion) and there are more users too. There will be always some BSD users, but to me they are like a dying breed. They would need to market themselves as a "runs outside the nerd bubble as well"; even Linux is still stuck in its own nerd bubble. You have to break out of it if you want to really dominate (Linux semi-does it indirectly, e. g. we can count many smartphones as Linux-driven, but I am still using a desktop computer system here, so to me this is what really counts, even if the total number is less than the smartphone users numbers).
Had BSD not been busy with AT&T lawsuit, all major UNIXes would probably still be around, consuming whatever was produced out of BSD like the networking code and OS IPC improvements over AT&T UNIX.
Instead sponsoring Linux kernel became the plan B, as means to reduce their UNIX development costs.
> Commercial use began when Dell and IBM, followed by Hewlett-Packard, started offering Linux support to escape Microsoft's monopoly in the desktop operating system market
-- https://en.wikipedia.org/wiki/Linux
> 1998: Many major companies such as IBM, Compaq and Oracle announce their support for Linux.
-- https://en.wikipedia.org/wiki/History_of_Linux
Ironically the major contributor to many GNU/Linux critical components, Red-Hat, is now an IBM subsiduary, recouping that investment beyond doing only Aix.
It is no accident that all FOSS OSes that came after Linux, none of them has adopted GPL, as big corporations would rather not be obliged by it.
After all, the GPL forces to contribute back only if you modify and distribute a modified version of the software (the AGPL modified this point, to account for cloud services). A corporation that isn't modifying GPL'd code or isn't redistributing the modified binaries, doesn't incur any additional burden for using a software distributed under the GPL.
A year or so later our main DB on Windows (long story on why we were running windows DBs with most of the other kit being BSD/Linux) had a total corruption incident (it was painful, but we had a replica failover that we recovered from) - turns out we could get an answer from Dell since Windows was obviously supported by Dell themselves. There was a known issue with that model of RAID controller that would result in random and total corruption - and there was no way to fix it in firmware.
I was smug about it, but had to concede that people should still be given an informed choice. IIRC Dell was very quiet about it, which is certainly not "informed choice". Had we known, we'd have shelled out for different hardware for our databases!
I left the company before things were totally resolved, but I think dell ultimately gave people who complained LSI cards, but it took awhile for those to be designed and manufactured to fit the internal drive slot. Most people who were also using external arrays moved to third party ones or other hardware.
Some background from an OpenBSD dev: