Wikipedia

OpenBSD security features: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Added and cited reference: Palmer-and-Nazario-2004
AnomieBOT (talk | contribs)
Bots
6,861,527 edits
m Dating maintenance tags: {{Citation needed}}
Line 33:
 
==X11==
All parts of X11 on OpenBSD are running as the user, except for the X server, which is split between a privilege-stripped X process run as root, and an X process run as the _X11 user. {{citation needed|Checked by Freenode IRC users, need additional source |date=OctOctober 2017}}
 
In X11 on OpenBSD, neither the X server nor X clients normally have any escalated direct memory or hardware privileges: When driving X with the Intel(4) or Radeon(4) drivers, these normally interact with the underlying hardware via the Direct Rendering Management(4) kernel interface only, so that lowlevel memory/hardware access is handled solely by the kernel. Other drivers such as WSFB follow a similar pattern. For this reason, X11 on OpenBSD does not open up lowlevel memory or hardware access to user/root programs as is done on some other systems, and as was done in the past, which then needed the user to escalate the machdep.allowaperture setting from its default zero setting, to an unsecure setting.{{citation needed|Needs additional verification, discussed on chat forums|date=OctOctober 2017}}
 
OpenBSD's version of the [[X Window System]] (named [[Xenocara]]) has some security modifications. The [[X.Org Server|server]] and some of the default applications are patched to make use of [[privilege separation]], and OpenBSD provides an "aperture" driver to limit X's access to memory.<ref>{{Cite web|url=http://man.openbsd.org/OpenBSD-5.9/man4/xf86.4|title=xf86 – X Window System aperture driver|website=OpenBSD manual pages|access-date=May 26, 2016}}</ref> However, after work on X security flaws by Loïc Duflot, Theo de Raadt commented that the aperture driver was merely "the best we can do" and that X "violates all the security models you will hear of in a university class."<ref>{{cite mailing list |url=https://marc.info/?l=openbsd-misc&m=114738577123893&w=2 |title=Re: security bug in x86 hardware (thanks to X WIndows) |date=May 11, 2006 |accessdate=May 26, 2016 |mailing-list=openbsd-misc |last=de Raadt |first=Theo |authorlink=Theo de Raadt }}</ref> He went on to castigate X developers for "taking their time at solving this > 10-year-old problem." On November 29, 2006, a [[VESA BIOS Extensions|VESA]] kernel driver was developed that permitted X to run, albeit more slowly, without the use of the aperture driver.<ref>{{cite mailing list |url=https://marc.info/?l=openbsd-cvs&m=116483366219125&w=2 |title=CVS: cvs.openbsd.org: XF4 |date=November 29, 2006 |accessdate=May 26, 2016 |mailing-list=openbsd-cvs |last=Herrb |first=Matthieu }}</ref>
Retrieved from "https://en.wikipedia.org/wiki/OpenBSD_security_features"