BSD, OpenBSD

Transkript

BSD, OpenBSD

*BSD, OpenBSD
Milan Přı́hoda
Středisko UN*Xových technologiı́
1. 12. 2009
Milan Přı́hoda
*BSD, OpenBSD
Berkeley Software Distribution
• BSD vzešlo z AT&T UNIXu v 70-tých letech
• 1BSD – 1977, Bill Joy, doplněk k AT&T UNIXu release 6.
Kompilátor Pascalu, ex editor.
• 2BSD – 1978, csh, vi
• 4BSD – 1980, job control, csh, signály
• 4.2BSD – 1983, TCP/IP
• 4.3BSD – 1986, nameserver, nfs
• 4.4BSD-lite – 1994, neobsahuje žádný kód AT&T
• 4.4BSD-lite-relelase 2. – 1995, v Berkeley se končı́ s
vývojem. Pokračujı́ dalšı́ projekty.
http://www.levenez.com/unix/
Milan Přı́hoda
*BSD, OpenBSD
FreeBSD
The Power to Serve
• Vzešlo z 386BSD
• Nejrozšı́řenějšı́ BSD
• Jails, jail(8)
• ZFS
• alpha, amd64, ia64, i386, pc98, Sparc64
Milan Přı́hoda
*BSD, OpenBSD
NetBSD
• Prvnı́ opensource běžı́cı́ na SGI strojı́ch
• Zaměřeno na portovánı́ rozličných HW architektur (V
současné chvı́li 57 portů)
• acorn26, acorn32, algor, alpha, amd64, amiga, amigappc,
arc, atari, bebox, cats, cesfic, cobalt, dreamcast, evbarm,
evbmips, evbppc, evbsh3, ews4800mips, hp300, hp700,
hpcarm, hpcmips, hpcsh, i386, ia64, ibmnws, iyonix,
landisk, luna68k, mac68k, macppc, mipsco, mmeye,
mvme68k, mvmeppc, netwinder, news68k, newsmips,
next68k, ofppc, playstation2, pmax, prep, rs6000,
sandpoint, sbmips, sgimips, shark, sparc, sparc64, sun2,
sun3, vax, x68k, xen, zaurus
Milan Přı́hoda
*BSD, OpenBSD
NetBSD
Of Course it runs NetBSD
• Prvnı́ opensource běžı́cı́ na SGI strojı́ch
• Zaměřeno na portovánı́ rozličných HW architektur (V
současné chvı́li 57 portů)
• acorn26, acorn32, algor, alpha, amd64, amiga, amigappc,
arc, atari, bebox, cats, cesfic, cobalt, dreamcast, evbarm,
evbmips, evbppc, evbsh3, ews4800mips, hp300, hp700,
hpcarm, hpcmips, hpcsh, i386, ia64, ibmnws, iyonix,
landisk, luna68k, mac68k, macppc, mipsco, mmeye,
mvme68k, mvmeppc, netwinder, news68k, newsmips,
next68k, ofppc, playstation2, pmax, prep, rs6000,
sandpoint, sbmips, sgimips, shark, sparc, sparc64, sun2,
sun3, vax, x68k, xen, zaurus
Milan Přı́hoda
*BSD, OpenBSD
NetBSD
Binárnı́ kompatibilita (emulace)
• BSD/OS (i386)
• Darwin (macppc)
• FreeBSD (i386)
• HP-UX (m68k)
• IRIX (sgimips)
• Linux (i386, m68k, alpha, powerpc, mips, arm)
• OSF1/Digitial UNIX/Tru64 (alpha)
• SCO/iBCS2 (i386)
• Solaris and SVR4 (sparc, sparc64, i386, m68k)
• SunOS 4 (sparc, sparc64, m68k)
• ULTRIX (mips, vax)
Milan Přı́hoda
*BSD, OpenBSD
NetBSD
www.netbsd.org
www.freeshell.org
www.embeddedarm.com/software/arm-netbsd-toaster.php
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD
Free, functional and secure
• Vzniklo jak fork NetBSD v roce 1995
• Vedoucı́ projektu: Theo De Raadt
• Jednoduchost, bezpečnost, kvalitnı́ dokumentace
• Čitelné zdrojáky style(9)
• 100% otevřené, nulová tolerance k binárnı́m ”blobům”
• OpenSSH, OpenBGPD, OpenNTPD, OpenCVS
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD
• Současná verze 4.6
• RELEASE jednou za půl roku
• Ke každému RELEASE se vydávajı́ tři nosiče cdrom, triko,
pı́snička, ”povı́dka”
•
http://www.openbsd.com/orders.htm
• Hacketony
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD
Podporované architektury
alpha, amd64, armish, hp300, hppa, i386, landisk, macppc,
mvme68k, mvme88k, sgi, socppc, sparc, sparc64, vax, zaurus
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD
V OpenBSD nenajdete
• Podporu žurnálovacı́ch souborových systémů
• /etc/init.d nebo /etc/rc.d
• PAM
• Wine
• Přı́liš velkou podporu multimédiı́
• non-free firmware
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD
Pouze dvě vzdáleně zneužitelné chyby v defaultnı́ instalaci
za sakra dlouhou dobu
• červen 2002, objevena chyba v OpenSSH umožnujı́cı́
přihlášenı́ jako root
http://www.openssh.com/txt/preauth.adv
• březen 2007, objevena chyba v implementaci IPv6
umožnujı́cı́ DOS útok vedoucı́ na krach systému
http://www.coresecurity.com/content/open-bsd-advisorie
Kdo použı́vá OpenBSD
...Adobe, ...,Prague Institute of Chemical Technology
http://www.openbsd.org/users.html
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD
Q: Why do we ship cryptography?
A: Because we can.
Pseudo Random Number Generators
• Náhodná čı́sla se v OpenBSD generujı́ z
• Časovánı́ přerušenı́ myši
• Aktuálnı́ho stavu hodnot I/O operacı́ disků
• ...
• Náhodná čı́sla se v OpenBSD nativně použı́vajı́
• Přidělovánı́ PIDů
• ID IP datagramů
• DNS Query-ID
• ...
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD
Q: Why do we ship cryptography?
A: Because we can.
Pseudo Random Number Generators
• Náhodná čı́sla se v OpenBSD generujı́ z
• Časovánı́ přerušenı́ myši
• Aktuálnı́ho stavu hodnot I/O operacı́ disků
• ...
• Náhodná čı́sla se v OpenBSD nativně použı́vajı́
• Přidělovánı́ PIDů
• ID IP datagramů
• DNS Query-ID
• ...
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD
/dev/*random random(4)
• /dev/random – hardwareový generátor
• /dev/srandom – strong random
• /dev/urandom – normálnı́ random
• /dev/arandom – ARC4 arc4random(3)
Cryptography Accelerators
• VIA C3
• ...
WˆX - (W xor X)
• Zabraňuje současně zapisovat do paměti a spouštět.
• Útočnı́k nemá šanci dostat do paměti kód, který by se
později měl spustit.
• (PaX, NX bit)
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD
/dev/*random random(4)
• /dev/random – hardwareový generátor
• /dev/srandom – strong random
• /dev/urandom – normálnı́ random
• /dev/arandom – ARC4 arc4random(3)
Cryptography Accelerators
• VIA C3
• ...
WˆX - (W xor X)
• Zabraňuje současně zapisovat do paměti a spouštět.
• Útočnı́k nemá šanci dostat do paměti kód, který by se
později měl spustit.
• (PaX, NX bit)
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD, odlišnosti na prvnı́ pohled
• Odlišné pojmenovánı́ devices
• Striktnı́ vyžadovánı́ pořadı́ parametrů
• hier(7)
# ifconfig
hme0: flags=8822<BROADCAST,NOTRAILERS,SIMPLEX,MULTICAST> mtu 1500
lladdr 08:00:20:92:85:5d
priority: 0
media: Ethernet autoselect
bge0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:04:76:f1:26:c7
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet6 fe80::204:76ff:fef1:26c7%bge0 prefixlen 64 scopeid 0x2
inet 147.32.97.7 netmask 0xfffffe00 broadcast 147.32.97.255
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD, hier(7)
• /usr/bin – Binárky ze základnı́ instalace
• /usr/local/ – Balı́čky mimo základnı́ instalaci
• /etc – Konfiguračnı́ soubory pro základnı́ systém
• /bsd – Samotné jádro systému
• /bsd.mp – Jádro s podporou vı́ce procesorů
• /bsd.rd – Jádro s ramdiskem
• /fastboot – Zamezı́ spuštěnı́ fsck po startu
• /proc – procfs se nepoužı́vá
• /sys – symbolic link to ‘usr/src/sys’
• Kde je vimrc ve Vašem systému ?
• Kde je crontab ve Vašem systému ?
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD, hier(7)
• Kde je vimrc ve Vašem systému ?
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD, hier(7)
• /usr/local/share/vim/vimrc
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD, hier(7)
• /usr/local/share/vim/vimrc
• /var/cron/tabs/root
Milan Přı́hoda
*BSD, OpenBSD
Odlišnosti na dalšı́ pohled
• Partitions ? Slices ? fdisk ? disklabel ?
• Na i386/amd64 je potřeba jedna primárnı́ partition pro
OpenBSD
• disklabel(8), fdisk(8)
# fdisk -e wd0
fdisk: 1> p
Disk: wd0
geometry: 5168/240/63 [78140160 Sectors]
Offset: 0
Signature: 0xAA55
Starting
Ending
LBA Info:
#: id
C
H
S C
H
S [
start:
size ]
------------------------------------------------------------------------------0: 00
0
0
0 0
0
0 [
0:
0 ] unused
1: 00
0
0
0 0
0
0 [
0:
0 ] unused
2: 00
0
0
0 0
0
0 [
0:
0 ] unused
3:
A6
0
1
1
5167
239
63
[
63:
78140097
] OpenBSD
*
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD, intro(4)
/dev/rsd1d
• sd – sd(4)
• 1 – disk unit
• d – slice (partition)
• r
# file /dev/sd0a
/dev/sd0a: block special
# file /dev/rsd0a
/dev/rsd0a: character special
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD, intro(4)
# disklabel -pm wd0
# /dev/rwd0c:
type: ESDI
disk: ESDI/IDE disk
label: HTS548040M9AT00
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 240
sectors/cylinder: 15120
cylinders: 5168
total sectors: 78140160 # total bytes: 38154.4M
rpm: 3600
interleave: 1
boundstart: 0
boundend: 0
drivedata: 0
16 partitions:
#
size
a:
1024.0M
b:
511.1M
c:
38154.4M
d:
2645.0M
e:
4183.1M
f:
1231.2M
g:
1024.0M
h:
3626.1M
i:
1970.9M
j:
1970.9M
k:
19968.1M
offset
63
2097215
0
3143855
8560783
17127771
19649363
21746515
29172799
33209139
37245479
Milan Přı́hoda
fstype [fsize bsize
4.2BSD
2048 16384
swap
unused
4.2BSD
2048 16384
4.2BSD
2048 16384
4.2BSD
2048 16384
4.2BSD
2048 16384
4.2BSD
2048 16384
4.2BSD
2048 16384
4.2BSD
2048 16384
4.2BSD
2048 16384
*BSD, OpenBSD
cpg]
1 # /
1
1
1
1
1
1
1
1
#
#
#
#
#
#
#
#
/tmp
/var
/usr
/usr/X11R6
/usr/local
/usr/src
/usr/obj
/home
OpenBSD, sysctl, ddb
sysctl
sysctl(8)
• Nástroj pro nastavovánı́ jaderných parametrů za běhu
• Obdoba procfs a sysfs v Linuxu
• /etc/sysctl.conf
sysctl.conf(5)
vm.swapencrypt.enable
hw.model
net.inet.ip.forwarding
...
ddb
• Jaderný debugger
ddb(4)
• ddb se spustı́ nastane-li panic a zároveň ddb.panic=1
• lze spustit z konzole je-li ddb.console=1
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD, securelevel
Securelevels securelevel(7)
• 4 bezpečnostnı́ úrovně, ve kterých se může jádro nacházet
• kern.securelevel
-1 Permanently insecure mode
0 Insecure mode
1 Secure mode
2 Highly secure mode
Milan Přı́hoda
*BSD, OpenBSD
kern.securelevel=0
Je nastaven v průběhu bootovánı́ systému, single user mode,
zařı́zenı́ jsou přı́stupná podle práv
kern.securelevel=1
Default pro multiuser. Nelze psát do /dev/mem. RAW devices
disků jsou ro, pokud je device přimountována. Nelze měnit
celou řadu parametrů jádra jako ddb.console, ddb.panic,
net.inet.ip.sourceroute.
kern.securelevel už nelze snižovat. Nelze načı́tat jaderné
moduly.
kern.securelevel=2
Shodné jako securelevel=1. RAW devices jsou ro vždy. Pravidla
filter a nat v PF nelze měnit.
kern.securelevel=-1
Shodné jako securelevel=0. Měnit securelevel lze jen přes
sysctl. Žádné jiné mechanismy nezměnı́ securelevel.
Milan Přı́hoda
*BSD, OpenBSD
kern.securelevel=0
kern.securelevel=1
moduly.
kern.securelevel=2
kern.securelevel=-1
Milan Přı́hoda
*BSD, OpenBSD
kern.securelevel=0
kern.securelevel=1
moduly.
kern.securelevel=2
kern.securelevel=-1
Milan Přı́hoda
*BSD, OpenBSD
kern.securelevel=0
kern.securelevel=1
moduly.
kern.securelevel=2
kern.securelevel=-1
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD, jádro systému
/bsd
• Jádro systému je monolitické
• Utilitia config(8)
• Možnost zavádět jaderné moduly, téměř se nepoužı́vá
modload(8)
• Zdrojáky jádra - MirrorRootDir/verze/sys.tar.gz
• options(4)
...
#PCI Ethernet
hme*
at pci?
gem*
at pci?
cas*
at pci?
ti*
at pci?
skc*
at pci?
sk*
at skc?
mskc*
at pci?
msk*
at mskc?
fxp*
at pci?
xl*
at cardbus?
...
#
#
#
#
#
#
#
#
#
#
Sun Happy Meal 10/100
Sun GEM 10/100/Gigabit
Sun Cassini 100/Gigabit
Alteon Tigon 1Gb ethernet
SysKonnect GEnesis 984x
each port of above
Marvell Yukon-2
each port of above
EtherExpress 10/100B ethernet
3C9xx ethernet
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD, kernel flags
Kernel flags
chflags(1)
• nodump – Nezálohuje se, při záloze pomocı́ dump(8)
• sappnd – System append-only. Do souboru lze jen
přidávat. (root, k odebránı́ je nutno
kern.securelevel < 1)
• uappnd – User append-olny, (root a vlastnı́k)
• schg – System immutable. Nelze mazat, přesunovat,
měnit. (root, k odebránı́ je nutno
kern.securelevel < 1)
• uchg – User immutable. (root a vlastnı́k)
Odstranit parametry lze pomocı́ přı́pony no před flag.
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD, RAID
RAIDframe raid(4),raidctl(8)
• Nenı́ by-default v jádře, nutno přidat:
• pseudo-device raid 6
• RAID 0, 1, 4, 5
• /dev/{,r}raid*
• /etc/raid*.conf
START array
1 2 0
START disks
/dev/sd0d
/dev/sd1d
START layout
32 1 1 1
...
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD, PF – packetfilter
Packet Filter
pf(4), pfctl(8), pf.conf(5)
• Převzalo FreeBSD, NetBSD, DragonFlyBSD
• Poslednı́ pravidlo vyhrává
• filter, nat, QoS, load balancing, packet tagging
• pflogd(8)
http://www.openbsd.org/faq/pf/index.html
Milan Přı́hoda
*BSD, OpenBSD
CARP, Common Address Redundancy Protocol
OpenBSD, co se jinam nevešlo
• systat(1), systrace(1), pwd mkdb(8),
cap mkdb(1)
• jot(1)
• rm -P
• netstat -rn
• /etc/daily, /etc/monthly
• Upgrading manual
www.undeadly.org
www.openbsd.org
[email protected]
Milan Přı́hoda
*BSD, OpenBSD
OpenBSD, co se jinam nevešlo II
OpenBSD:
$ wc -l echo.c
74 echo.c
$ wc -c echo.c
2474 echo.c
GNU:
$ wc -l echo.c
274 echo.c
$ wc -c echo.c
7735 echo.c
Milan Přı́hoda
*BSD, OpenBSD
Hádanka na závěr
• Mějme nedobytnou truhlici, která má následujı́cı́ vlastnosti:
Podle potřeby se na nı́ dá připevnit až nekonečně mnoho
petlic pro nekonečně mnoho visacı́ch zámků. Alespoň
jednı́m zámkem zamčená truhlice nelze otevřı́t (rozbı́t)
žádnou metodou ani hrubou silou. Truhlici je možné
přepravovat libovolnou přepravnı́ službou aniž by hrozilo
riziko poškozenı́, nedoručenı́, rozbitı́.
• Klı́če a zámky se naopak nedajı́ posı́lat žádnou přepravnı́
službou, protože hrozı́ riziko jejich zkopı́rovánı́.
• Kamarádky Alice z Prahy a Barbora ze Sydney, které se
nikdy neviděly a ani se jinak nemůžou vidět si v zamčené
truhlici posı́lajı́ dopisy, suvenýry a pod...
• Jak Barbora otevře v Sydney truhlici, kterou zamkla v
Praze Alice ?
Milan Přı́hoda
*BSD, OpenBSD
Praze Alice ?
Milan Přı́hoda
*BSD, OpenBSD
Praze Alice ?
Milan Přı́hoda
*BSD, OpenBSD
Praze Alice ?
Milan Přı́hoda
*BSD, OpenBSD

BSD, OpenBSD

Transkript

Podobné dokumenty

typ tiskárny typ kazety barva kapacita renovace kompatibilní originál

Administrace UNIXu

Nebezpečný Google – vyhledávání důvěrných

instalace free mcboot

Sborník příspěvků

01 - Počítačové sítě Počítačové sítě představují základní nástroj pro

diplomová práce

Síťové rozhraní.

prednaska02 163.38KB 10.12.2014 23:05:39

Chci vědět více o Be baby