Revision as of 01:38, 30 December 2023 edit 85.64.76.29 (talk) Undid revision 1190412567 by TakodaNotDakota (talk): "Could potentially" is redundant — "could" suffices; the topic of this article is security, and when presented with the theoretical options of having security by default versus working for it, the latter objectively "wastes time". Tag: Undo ← Previous edit		Revision as of 20:59, 17 March 2024 edit undo Braincricket (talk \| contribs) Extended confirmed users, Pending changes reviewers, Rollbackers 11,449 edits →Other features: rm possible vandalism Tag: Reverted Next edit →
Line 50: OpenBSD has a history of providing its users with [[Full disclosure (computer security)\|full disclosure]] in relation to various bugs and security breaches detected by the OpenBSD team.<ref>{{cite web \|url=http://bsd.slashdot.org/story/00/12/11/1455210/theo-de-raadt-responds \|title=Theo de Raadt Responds \|last=Miller \|first=Robin \|publisher=[[Slashdot]] \|date=December 11, 2000 \|url-status=live \|archive-url=https://web.archive.org/web/20110728031830/http://bsd.slashdot.org/story/00/12/11/1455210/Theo-de-Raadt-Responds \|archive-date=July 28, 2011 \|access-date=May 16, 2014 }}</ref> This is exemplified by [[OpenBSD#Slogan\|the project's slogan]]: "Only two remote holes in the default install, in a heck of a long time!" OpenBSD is intended to be secure by default, which includes (but is not limited to) having all non-essential services be disabled by default. This is done not only to ~~not~~ require users to learn how ~~and waste time~~ to secure their computers after installing OpenBSD, but also in hope of making users more aware of security considerations, by requiring them to make conscious decisions to enable features that could reduce their security. <ref>{{cite web \|title=OpenBSD: Security — "Secure by Default" \|url=https://www.openbsd.org/security.html#default \|website=www.openbsd.org \|access-date=27 September 2023}}</ref> OpenBSD 5.9 included support for the then–new <code>pledge</code> [[system call]] (introduced in OpenBSD 5.8 as <code>tame</code> and renamed in 5.9 to <code>pledge</code>) for restricting process capabilities to a minimal subset required for correct operation.<ref>{{cite web\|title=pledge() - a new mitigation mechanism\|url=https://www.openbsd.org/papers/hackfest2015-pledge\|website=OpenBSD\|access-date=May 19, 2018}}</ref> If the process is compromised and attempts to perform an unintended behavior, it will be terminated by the kernel. OpenBSD 6.4 introduced the <code>unveil</code> [[system call]] for restricting [[filesystem]] visibility to a minimum level.<ref>{{cite web\|title=unveil — unveil parts of a restricted filesystem view\|url=https://man.openbsd.org/unveil\|website=OpenBSD manual pages\|access-date=2020-05-15}}</ref> <code>pledge</code> and <code>unveil</code> are used together to confine applications, further limiting what they're otherwise permitted to do under the user account they're running as. Since the introduction of <code>pledge</code>, base OpenBSD programs (included [[Out of the box (feature)\|out of the box]] in OpenBSD), applications (handled by their developers), and ports (of applications, handled by the OpenBSD team) have been updated to be confined with <code>pledge</code> and/or <code>unveil</code>. Some examples of third-party applications updated with these features (by their developers or in OpenBSD's app ports) include the [[Chromium (web browser)\|Chromium]] and [[Firefox]] [[web browser]]s.

OpenBSD security features: Difference between revisions