FreeBSD "security" is shit

Just switch to linux already

>implying anyone takes freebsd seriously in the first place

>>55851973
Don't you have anything better to do than shitpost in BSD related threads?

A lot of these fixes seem to be laid out very clearly -- what's stopping FreeBSD from making the changes? Do they not care?

>>55851838
I think what FreeBSD likes to do is let the user be in control of their security. I still prefer OpenBSD however.

>>55852645
muh backwards compatibility

b-but bsd is more secure than linux!!

>>55852881
There is more than one BSD, FreeBSD is just one of them. You still have Open/Net/DragonflyBSD available. Now go shitpost somewhere else.

>>55852881
>FreeBSD is the only BSD
FreeBSD's not even the one known for its security, you fucking dumbass.

>>55852678
Does OpenBSD come with a GUI?

I tried PCBSD recently, but I couldn't get it to boot after finishing the installation.

why even go through all that work?

just install openbsd.

>>55852913
Yes

>>55851838
I'm thinking about installing FreeBSD. Are derivatives like PC-BSD and GhostBSD even worth my time?

>>55852959
Hell no, PC-BSD is shit.

That's just my opinion, though.

>>55852998
What about GhostBSD? I've heard it's fairly good.

>>55853006
That one I never actually tried. Maybe I should.

>>55852998
Any BSD besides Net and Open is complete garbage.

>>55853035
FreeBSD has some merits, so does Dragonfly.

I say this as an OpenBSD user.

>>55853044
OpenBSD user here, this

How difficult would it be to run certain commands as a non-root user? Can't this be done simply with su/sudo like in Linux?

>>55853065
su is a standard unix utility, so yes, it exists in all BSDs.

they also have sudo in their packages, openbsd ships with doas which is perfect for you if all you used sudo for was elevating privilege temporarily

>>55851838
BSD cucks BTFO
>pkg
- no flexibility with what options things are built with
- must wait on the project to rebuild/update things
>ports
- it can take a long time to compile things, especially web browsers
- multiple unrelated tools involved (portsnap/svn, portmaster/portupgrade)


Both the ports system and pkg will do a lot of things as root where it's not
needed at all. I brought this up to a member of the ports security team and
he just shrugged it off. Simply because portsnap checks the snapshots it
fetches against a public key, he figured there was nothing to worry about.
I have to question their credibility sometimes. It's true that verifying
the files it fetches would indeed be a good countermeasure... if that was
done before the more dangerous operations. But it's not. The data integrity
check is done very late in the process, giving plenty of opportunity for
exploits against the other tools, all running as root and taking untrusted
input from the internet. Both portsnap and freebsd-update have a serious
design flaw here that could be easily fixed. Perhaps they have the utmost
confidence in the tools being bug-free. I try to be a bit more realistic.

But there's a lot more risk involved than just letting root go out to the
internet to download files. Perhaps a short summary of how building ports
works is needed for clarification here. The steps involved can be condensed
into the following:

- Fetching and updating the ports tree (a collection of makefiles and patches)
- Fetching the software's source code
- Verifying the checksum of the file(s)
- Extracting the source tarball
- Configuring, patching and building the application
- Creating a package from the built files
- Installing the package to your system (if desired)

So how many of these actually need to be done as root? Only the last one.
And how many of these are done as root by default in FreeBSD? All of them.

>>55853367
*FreeBSD

still has merits though

>>55851838
Netflix servers rooted yet ?
They run FreeBSD.

>>55853367
install gentoo

>>55853380
kek OpenBSD doesn't even have MAC and ZFS

>>55853415
This, actually

>>55853424
Most people turn off MAC, MAC is not the end all security.

>>55853424
so what side are you on then

you shitpost about freebsd then shitpost about openbsd

can you just admit that you're an autistic retard at least

>>55853462
>can you just admit that you're an autistic retard at least

/g/ in a nutshell

>>55853462
I'm on Gentoo's side

I find it funny how much shitposting BSD attracts. We have the FreeBSD autist who goes on and on about MUH JAILS and MUH MAC like they're the most important feature, the handful of shitposters who who say to install linux and cut down BSD as much as possible, and then there are the shitposters who keep attacking it as a "toy OS for hipsters". It's unbelievable how much shitposting BSD gets.

Is FreeBSD or OpenBSD better for more of a general use scene? I fancy switching over to it permanently from GNU/Linux but not entirely sure of the differences and advantages/disadvantages of each of the two. Someone mind filling me in? I know my way around using Unix and it's terminals.

Does Debian GNU/BSD have ports system?

>>55853506
i used to think it was always the same guy but no it's actually 3-4 autists

its simply unbelievable

>>55853548
openbsd is more general use than freebsd, if you can use freebsd as a desktop then that's good for you, but you should know that the devs don't really intend it that way

>>55853548
OpenBSD's your best bet for a desktop system, FreeBSD's geared more towards servers. Though you can make either work.

>>55853555
Actually, FreeBSD is more general purpose. OpenBSD is strives for code correction, security, and stability above all else. You won't find fancy features in OpenBSD, but you will find rock solid stability.

>>55853548

FreeBSD users will tell you it's better, OpenBSD users will tell you it's better. Try both, check out their documentation, come to your own conclusion. It's not like it costs anything but your time.

...and you're on /g/, so you have plenty of that.

>>55853568
but then again, which one actually comes with X in base?

>>55853599
Why doesn't FreeBSD come with X in the base?

>>55852194
Netapp, Juniper and Netflix do

>>55853613
mostly because it's used in server roles

again, it CAN work as a desktop, but it doesn't seem to be freebsd's main goal

>The Power to Serve

>>55853599

Open includes X with the base system as an optional component in the install.

>>55853905
exactly

they even technically forked it and did some work on it by themselves

some of it got accepted upstream, some of it didn't

The irony of being unable to apply security patches because the updating tool has known vulnerabilities is delicious.

https://lists.freebsd.org/pipermail/freebsd-security/2016-July/009016.html

File: 1458870164617.png (21KB, 200x130px) Image search: [Google]

21KB, 200x130px

Who cares, the only BSD worth using has only ever been OpenBSD.

>>55854461
the last thing we need in these threads is in-fighting

>>55854469
OpenBSD was born out of infighting. The only reason it exists is because the FreeBSD folk were incompetent faggots, and here today we see more proof of this.

>>55854496
>The only reason it exists is because the FreeBSD folk were incompetent
try netbsd

the funny thing is one of the netbsd devs came out and said that kicking theo out is what bit them in the ass in the long run

>>55851838
who in the right mind uses bsd anyways?

Dumb question: has anybody tried making a Linux distribution with the whole "designed as a single piece" philosophy? This is the primary thing that BSD is interesting to me for. It's refreshing coming from a galaxy full of glued together distros

>>55854526

The BSDs are completely separate projects with different code, in contrast to Linux distros. While FreeBSD has a lot of the security problems mentioned in this thread, OpenBSD is actually pretty cool. Don't let one of them sucking turn you off from trying the others.

>>55854617
unless someone decides to develop their own distro with their own userland, i don't think that will ever happen

>>55854617

That's impossible with Linux. One team develops the kernel, another the userland, another the SSL library, another the ...

>>55852944
Yes it comes with FVWM in the default installation. Some random hardware issues a work around and a firmware update later, it comes with gnome 3.
I'd use it if it wasn't for the software I'm using, that old gcc is too harsh to compile with.

>>55854676

You can install newer GCC or Clang from packages/ports you know.

>>55854676
there is a newer version of GCC in ports

but yeah it's really a shame, not only does GCC now use GPLv3, which all BSD people despise, it also uses C++, which most C programmers (aka all of openbsd and linus torvalds) despise

>>55854509
Theo might be an asshole, but it's honestly debatable if he's better at programming and computers than stallman or even linus.

>>55852216
But this is a BSD shitting thread, anon.

>>55854676
Don't forget cwm and twm
>GNOME3 on OpenBSD
You can stick with it if you want but I really advise against that.

>>55855173
No, it's a thread about FreeBSD's security issues.

>>55854676
>>55855193
fvwm is the thing i never understood about openbsd

why the fuck is it even in base, the version's old as fuck too

>>55855076
he did most of the porting work for the initial netbsd SPARC port

>>55854378

> We have other documents, dated 2014 and 2015, detailing attacks against the update systems of multiple Linux distributions...

delete this

If you were using BSD for security why weren't you using OpenBSD?

>>55855633
let's be frank here, freebsd is meant to be a server OS

a server OS not having these security features is kind of mind-blowing in a way

>>55855633
>it's okay for my system to have gaping security holes because security wasn't my primary intent for my system
Now there's some pants on head retarded logic.

>>55853035
Any BSD besides Free is literally used by 5 people.

>>55855662
>I want security
>lets use the BSD not known for caring about security
>WHAAA WHY IS THE SECURITY SO BAD

You're too retarded to even use a non-windows OS

>>55855685
You are beyond retarded.

>>55855684
Don't forget about the SJWs that use FreeBSD

>>55851838
Linux uses root to update files too...You wouldn't be able to install stuff without it.

Also, in FreeBSD you can compile your shit in jails.

You have no real argument here.

>>55855756
>Also, in FreeBSD you can compile your shit in jails.
>muh jails
Get over it, idiot.

Not everyone wants to set up a jail just to update their system, are you nuts?

>>55855756
OP didn't really describe the problem. The issue is FreeBSD queries the package repos and fetches updates using the root account which is completely unnecessary. The only part that requires root privileges is the installation which is the last part.

>>55855763
Lmao, you can't talk shit about jails when OpenMEMEsd still uses chroot. Jails are inescapable, you'll never need to worry about security.

>>55855816
So you're just gonna go and ignore everything I'm saying.

Here's a tip: the more complex your system is, the easier it is to fuck up. Building a jail just for updating your system is insanity.

>>55855816
>OpenMEMEsd
XD

>>55855844
And the simpler you make it, the less secure it is.

>>55855871
Yeah I guess Sendmail is good software then since it's so complex.

>>55854676
eho would need anything besides fvwm anyways.

>>55855756
>Linux uses root to update files too...You wouldn't be able to install stuff without it.

Linux uses root to write the new files to the filesystem in directories that regular users can't write to by default.

It does not download, decompress, verify, or extract the files as root. If a bug (like the currently UNPATCHED one described on the security mailing list) is found in any of the software in this chain, the result is a root-level compromise. This is even easier to do on FreeBSD specifically, due to it having no ASLR, PIE, W^X, SSP or really any sort of exploit mitigation. What's more freebsd-update and portsnap fetch the files over plaintext http, not https. It's a very bad situation caused by very bad design.

>Also, in FreeBSD you can compile your shit in jails.

You can compile ports in jails, sure. You can't run freebsd-update in a jail -- even if you could, that doesn't update the host system!

>You have no real argument here.

I think it is you who has no argument, friend.

>>55854676
>>55855887
CWM is another one that comes with OpenBSD and it's the best WM of all time.

>>55855907
this

>>55855882
debian does the same thing with exim

>>55855865
samefagging your posts doesn't mean anyone actually thought it was funny...

>>55855961
I was making fun of the retard, you dumbass.

File: 1468862779808.jpg (58KB, 540x531px) Image search: [Google]

58KB, 540x531px

>>55851838
LibertyBSD

>>55856040
That's just OpenBSD with a libre kernel. Theo chewed the guy who asked for a libre kernel out hard.

>>55856071
well he's been fighting off blob allegations for like 3 decades

i'd be pretty fucking peeved too

>>55856084
Firmware has never been classified as blobs because it runs off the hardware, not the OS.

>>55856103
well yeah that's what i'm saying

even the anon above who said "openbsd with a libre kernel" is wrong since the kernel has NO blobs in the first place

>>55855816
For an OS that doesn't even have ASLR it's probably easier to break out of a jail then a linux chroot

>>55856145
At least FreeBSD doesn't have an FBI backdoor like OpenMEMEsd does.

>>55856196
there he is, there he goes again

>>55856196
Nice FUD

>>55856196

With a security record as bad as FreeBSD's, there doesn't even need to be a backdoor.

Anyone can get in already.

File: image.png (2MB, 1600x900px) Image search: [Google]

2MB, 1600x900px

>>55856227

>>55856084
>>55856111
If you're interested in theo yelling at someone, here it is.
https://news.ycombinator.com/item?id=9671025

https://marc.info/?l=openbsd-misc&m=143355112811564&w=2

>>55856544
im honestly shocked he still responds to "lol you have blobs"

>>55856544
lmfao

Man, I'm trying out OpenBSD in a vm, it's amazing how tiny the ISOs are. It can still fit on a regular 700mb CD and still have plenty of room on it when these days 1-2 GB is standard for an OS ISO.

>>55855903
The packages managers which you run as root do a bit more than just copy a few files over.

I do believe the files freebsd-update and portsnap fetch are signed so it doesn't matter if they use https.

FreeBSD does have ASLR and other forms of exploit mitigation.

>>55856803
Yeah, it's truly amazing.

Probably one of the few operating systems that can still be installed from floppies.

>>55856877
You were proven wrong and your response is just... lie? Maybe /g/ is worse than I remember. Everything >>55855903 said was technically accurate.

Epic troll xD etc. 1/10

>>55856877
>FreeBSD does have ASLR and other forms of exploit mitigation.
not in any current release, maybe rotting somewhere in -HEAD

>>55856961
>>FreeBSD does have ASLR and other forms of exploit mitigation.
>not in any current release, maybe rotting somewhere in -HEAD

Not even there.

https://www.freebsd.org/news/status/report-2016-04-2016-06.html#ASLR-Interim-State

This recent report discusses introducing (a very weak) ASLR implementation in -CURRENT. It's not in SVN anywhere yet, and even when it is, it'll be mostly useless without the other projections like W^X.

I was thinking about installing FreeBSD on my Kimsufi, thanks for the discouragement.

Wel thats fucked my seedbox runs freebsd and did a update day ago.
Would all boxes be considered compromised now ?

>>55856950
Nah, I was wrong about the ASLR. I was just remembering wrong.

As for the other stuff, why would the updater need to use http for signed packages?

I assume the part about freebsd-update running as root is referring to that bug, but I was just pointing out that most package managers in Linux have to be run as root whether or not everything they end up triggering is run as root.

>>55857127
>As for the other stuff, why would the updater need to use http for signed packages?

As mentioned in the OP post, those tools run as root. They do decompression, extraction and (in the case of freebsd-update and portsnap) run a variety of text manipulation tools AS ROOT on UNTRUSTED INPUT from the internet BEFORE verifying their contents. It's a design flaw. There's no concept of privilege separation in FreeBSD's updating tools.

This means that most freebsd servers are compromised ? That sucks desu

>>55856103
But GNU calls the firmware blobs.

Therefore you should call them blobs too.

>>55857410
yeah, it was based on plan 9's rio

you can even theme it to look exactly the same, I know I did

>>55857467
Since when is GNU the authority of the fucking land?

>>55857514
Since 1983. GNU is absolutely the only correct choice to freedom.

>>55857560
>GNU
>freedom
top kek

>>55857575
>GNU
>Freedom
>If you violate our licenses we will sue you and force you to be free

>>55857449
It did get compromised once in 2012.

>>55857607
>we'll sue you for practicing your freedoms that we disapprove of
Exactly my point.

>>55857623
And now ?

>>55857560
>GNU is absolutely the only correct choice to freedom.
and communism is a good ideology while we're at it

>>55857766
GNU isn't communism. When you take something to make sure there is equal share, it's gone.

When you take something in the digital world, it's always saved in it's original location. Communism cannot work in the digital world.

>>55857992
no, GNU is communism because it's followers are so fucking cult-like and think there's only one way to do things and try to force everyone to do it

Faggots never heard of HardenedBSD

>>55858957
That's a pretty noble project, shame that FreeBSD doesn't seem to be taking them seriously.

>>55856877
>ASLR
Isn't this more or less useless? All I ever see in the news related to it are people breaking it easily on various platforms. If you have any other security problem ASLR seems to be easily defeated.

In relation to FreeBSD I think Sony's PS3, PSVita, and PS4 systems use ASLR on top of FreeBSD.

>>55859157
it's an extra layer, it's never infallible but it's better to have it than not having it at all

>>55856887

Window 10 can be installed on floppies

Windows 8.1 did can be, too.


What the fuck are you talking about.

>>55859241
if that's even true, there's no official support for it

the openbsd team actually tries to get this stuff to fit on a floppy, that's one of their main goals

File: 94GFNGX.jpg (91KB, 1024x768px) Image search: [Google]

91KB, 1024x768px

>>55859275

>>55858957
>just use this fork with two developers!

>>55859275
this actually makes me wonder though, could you swap out the floppies during installation?

can the installer handle that or do you have to install base first, boot into the system, and extract the other sets?

>>55859241
Windows 10 doesn't even support floppy drives and you're telling me it can be installed on one? Sure thing bud.

The guy who wrote that text is an OpenBSD user, for context.

>>55859688
a lot of openbsd users and even developers openly shit on freebsd security practices, even at conferences

you kind of have to appreciate that they have the balls to do that

>>55859702
I've heard FreeBSD developers shitting on OpenBSD practices too, so it goes both ways. I suppose it's all in fun though.

still no aslr, no w^x and no pie? i thought pfsense was good, but now someone needs to port it to openbsd.

>>55859915
i always thought it was weird that pfsense was based on freebsd when their pf implementation is at least 6 years behind

>>55859915
Why? Just use pf

>>55856544
Theo is a very nice man from the interactions I've had with him.
Depends on who you are, I guess.

>>55859939
theo obviously knows that on the internet being "nice" doesn't really matter

from his presentations he just seems like a really passionate guy to me

he just hates white noise, most likely

>>55858027
No, that'd be socialism. GNUtards are socialists or closet socialists.
BSD/MIT licences are more akin to communism since they provide more freedom.

>>55859932
I think the main reason no one uses OpenBSD as a base for specialized distros is the OS is already quite capable of doing anything you want it to with a little configuration. Also OpenBSD doesn't really have a stable release that a dev could use as a base anyway

>>55860146
Yeah I guess no one feels like keeping up with the 6 month release cycle.

And maybe they feel threatened by the community, I don't know. FreeBSD is definitely the most corporate and professional of them all.

It's not like PF is super difficult to use anyway, it was written so a geriatric grandmother could understand it.

File: 4L_GJbJ3za0.jpg (66KB, 500x590px) Image search: [Google]

66KB, 500x590px

>>55851838
What are freebsd jails?
Nice b8 op.

How does one learn what proper security standards are on operating systems?

What makes an operating system secure?

>>55860228
i don't think there's really an answer to that

an operating is never completely secure, never assume that

>>55859990

linus has also gotten flak for speaking his mind a little too openly. i'm sure it's a stress thing when you manage people/projects and have to deal with corrections AFTER implementations especially when you're the one who gets blamed for failures.

>>55860774
both also have to fend off militant freetards

>>55860228

common criteria: enterprise assurance level. extension of dod rainbow series. most oses implement their own ideas of those concepts.

>>55860228
Simple, if the OS implements TCP/IP it can't be confirmed secure.

>>55857109
>>55857449
>>55857751
> _?
> _?
> _?
Are you French? Please stop leaving a space after the last word and the question mark.

>>55851838
So the broadcom driver for BCM43142 doesn't work on FreeBSD?

>>55861424
https://www.freebsd.org/relnotes/CURRENT/hardware/support.html
it does, apparently

says bcm43xxx right here

File: jeremy-gabriel.jpg (7KB, 200x200px) Image search: [Google]

7KB, 200x200px

>>55861399
>Autistic child triggered ?

>>55861569
lol are you from quebec too

>>55861569
>refuses help on English on an English-speaking website
Go find some French imageboard, s'il te plaît.

>>55852959
>>55853006
GhostBSD is okay but feels like an inferior Linux. It's also one version behind freeBSD.

>>55859317
>floppy 3307 is corrupted

>>55860573
>an operating is never completely secure, never assume that
My doctor told me the same thing actually

>>55856887
I don't think you can still install OpenBSD on floppies because even the boot iso is 9 MB, well over the 1.44 MB limit. If there is a way to install OpenBSD on floppies, let me know.

>>55862975
You can still install from floppy
http://www.openbsd.org/faq/faq4.html#MkInsMedia
>Creating floppies in OpenBSD can be done with fdformat(1) to prep the disk, dd(1) to write the image, then cmp(1) to verify the write was good. A similar process can be used on other Unix platforms.

>>55852194

>literally the back bone of the internet
>linux desktop ricers think their hacked together POS OS is somehow relevant

>>55851838
You dun' goof'd OP

It is well-known that in the BSD world, local exploits aren't even considered serious..

OpenBSD baked in NSA spying...