Content deleted Content added
m Task 18 (cosmetic): eval 33 templates: hyphenate params (19×); |
link to the most current manpages |
||
Line 4:
== API and build changes ==
Bugs and security flaws are often caused by programmer error. A common source of error is the misuse of the <code>[[strcpy]]</code> and <code>[[strcat]]</code> [[String (computer science)|string]] functions in the [[C programming language|C]] programming language. There are two common alternatives, <code>[[strncpy]]</code> and <code>[[strncat]]</code>, but they can be difficult to understand and easy to misuse,<ref>{{Cite web|url=http://man.openbsd.org/OpenBSD-
On OpenBSD, the [[Linker (computing)|linker]] has been changed to issue a warning when [[C standard library#Buffer overflow vulnerabilities|unsafe string manipulation functions]], such as <code>strcpy</code>, <code>strcat</code>, or <code>[[sprintf]]</code>, are found. All occurrences of these functions in the OpenBSD source tree have been replaced.{{citation needed|reason=This is probably in their FAQ, or at least on the mailing lists (probably tech@)|date=May 2016}} In addition, a [[Static code analysis|static bounds checker]] is included in OpenBSD in an attempt to find other common programming mistakes at compile time.<ref>{{cite mailing list |url=https://marc.info/?l=openbsd-cvs&m=105665219927976 |title=CVS: cvs.openbsd.org: src |date=June 26, 2003 |access-date=March 31, 2013 |mailing-list=openbsd-cvs |last=Madhavapeddy |first=Anil }}</ref> Other security-related [[Application programming interface|APIs]] developed by the OpenBSD project include <code>issetugid</code><ref>{{Cite web|url=http://man.openbsd.org/OpenBSD-
== Kernel randomization ==
Line 34:
In X11 on OpenBSD, neither the X server nor X clients normally have any escalated direct memory or hardware privileges: When driving X with the Intel(4) or Radeon(4) drivers, these normally interact with the underlying hardware via the Direct Rendering Management(4) kernel interface only, so that lowlevel memory/hardware access is handled solely by the kernel. Other drivers such as WSFB follow a similar pattern. For this reason, X11 on OpenBSD does not open up lowlevel memory or hardware access to user/root programs as is done on some other systems, and as was done in the past, which then needed the user to escalate the machdep.allowaperture setting from its default zero setting, to an unsecure setting.{{citation needed|reason=Needs additional verification, discussed on chat forums|date=October 2017}}
OpenBSD's version of the [[X Window System]] (named [[Xenocara]]) has some security modifications. The [[X.Org Server|server]] and some of the default applications are patched to make use of [[privilege separation]], and OpenBSD provides an "aperture" driver to limit X's access to memory.<ref>{{Cite web|url=http://man.openbsd.org/OpenBSD-
On February 15, 2014, X was further modified to allow it to run without root privileges.<ref>{{cite mailing list |url=https://marc.info/?l=openbsd-cvs&;m=139245772023497&w=2 |title=CVS: cvs.openbsd.org: xenocara |date=February 15, 2014 |access-date=May 26, 2016 |mailing-list=openbsd-cvs |last=Kettenis |first=Mark}}</ref><ref>{{Cite web|url=http://undeadly.org/cgi?action=article&sid=20140223112426|title=Xorg can now run without privilege on OpenBSD|date=February 22, 2014|publisher=[[OpenBSD Journal]]|access-date=May 26, 2016}}</ref>
| |||