Re: OpenBSD 2.9,2.8 local root compromise

[Andreas Haugsnes <andreas () haugsnes no>]

If my opinions were missunderstod, I'll apologize for that.

I am currently a 'eager and happy user' of OpenBSD.
Used it for a couple of years, and I must say that
it has been among the better operatingsystems.
At the side I use FreeBSD, for servers aswell as desktops.
The reason that I reacted was that normally, fixes for
'more trivial' errors are corrected -by day-.
The coders of OpenBSD are among the better, and up to now
have delivered patches/fixes -fast-, aswell as informing users (see you/me) about it.

(If you in any sence of way feel that this discussion is taking a 'useless turn',
just say so. In the deep end, we're both users and enjoying every minute of it. :) )

Now, going back to your answer here.

The reason I reacted the way I did was not because I think "microsoft is
better". I have a very neutral opinion for OS', and some users may
prefer the ones easier to use.
The only reason is that a fix wasn't posted on errata. No information
reguarding such a -important- event.
How about all the users that use OpenBSD on important servers?
No information on the subject was posted before the exploit, and
that's what scares me.


> Do you do this every time an exploit comes out for any Linux vendor, or
> Microsoft? You must have a sweaty forehead.
<ironi quotation mark, end>
And I have -never- claimed that this is bad contra other systems.
But this is not a "match OS issue", please stick to the real issue.


> I'd like to know what method of notification Georgi used. Did he file a
> confidential bug report, or did he just send an email to Theo? He could
> have also sent an email to one of the mail lists, stating that he had
> discovered a problem and could someone "in the know" contact him.
Ofcourse, this could be the situation. If it's "that explainable", I
recall all my remarks.

> What's up with people acting like the sky is falling when any type of
> exploit is released for OpenBSD? I'd be interested to see a graph of
> released exploits for Operating Systems. Where do you think OpenBSD
> would be on that chart in relation to others?

The difference between "gettings bugs" and "telling people about it".
It's -not- good policy to let the public know about the bugs / exploits
before it has been posted / fixed by the vendor.


> The reality is that the OpenBSD development team is small, and busy. And
> yes this is a problem, and yes they were notified, and yes no officially
> responded to this BUGTRAQ post and they did not have a patch ready to
> go. Most of these developers are people just like you and me who have
> jobs and work on OpenBSD because they enjoy it, and like the ideals
> behind OpenBSD. No one is getting rich on doing this, believe me.

I don't doubt that in a second, -but-.
This is a -critical- bug. It gives -root comprimise-.
Think of the damage it causes if no one gets to know about the fixes in
time? We're talking -heavy- financial losses.

 
> If what you desire is someone to be there for you night and day, to
> have patch right away, you should probably be running another OS. I'm
> not just saying that to be rude or refute the problem with a "go away"
> attitude. I'm serious. 

Night/day, no. But what I expect, aswell as in any other -good coding environment-,
is information about -critical- issues as this.
If no one gives the information in time, what's the point of even reading
the news/maillist/webpages?


> In conclusion, OpenBSD never claimed that they were never going to be
> vulnerable to security issues, and they promised that they would be able
> to fix everything in a timely manner. But when I look at the
> alternatives, for some reason I still prefer it. Go figure...

Partially agree, but also a "big issue here", if no one is there to
"complain" or "say that things weren't handled good", then who
will take their time to fix it ?
"Why fix something that isn't broke".
People -need- to get things like this pointed out, people NEED to
see that security is a growing issue, and at the least, people
NEED to: INFORM THE USERS. (excuse the caps.)

> btw.. if you made it through my rant here is your reward:
> http://www.openbsd.org/cgi-bin/cvsweb/src/sys/kern/kern_exec.c
Revision 1.49 / (download) - annotate - [select for diffs] , Fri Jun 15 11:10:18 2001 UTC (6 hours, 38 minutes ago) by 
art 
Yes, and do you it's coincidence that it's only 6 hours old?
No, here proving my point earlier mentioned.
Now that the people have been informed (not in the best way, but still), a fix
has been made. But. 6 days has passed, and no one exterior from the OpenBSD team
has been informed. That's -not good-. (Which is the -only- point i'm trying to make
here. :-) )


In the end, I would like to thank the developers of OpenBSD.
The operatingsystem is really good, and I hope to see more
of it. Just to point out that I still prefer OpenBSD as a
"more secure alternative".



Your annoyance,
 Andreas Haugsnes