OpenBSD 6.0 tightens security by losing Linux compatibility

The newest version of OpenBSD closes potential security loopholes -- such as its Linux compatibility layer

OpenBSD 6.0 tightens security by losing Linux compatibility

OpenBSD, one of the more prominent variants of the BSD family of Unix-like operating systems, will be released at the beginning of September, according to a note on the official OpenBSD website.

Often touted as an alternative to Linux. OpenBSD is known for the lack of proprietary influence on its software and has garnered a reputation for shipping with better default security than other OSes and for being highly vigilant (some might say strident) about the safety of its users. Many software router/firewall projects are based on OpenBSD because of its security-conscious development process.

Most significant among the latest security-related changes for OpenBSD is the removal of Linux emulation support. Prior versions of OpenBSD made it possible to run Linux applications via a compatibility layer, but the release notes for OpenBSD 6.0 indicate the Linux subsystem was removed as a "security improvement."

OpenBSD has a collection of software available as add-on binary packages. They're not screened for security in the same way that the OS itself is, but OpenBSD's maintainers try to keep those third-party offerings as current as possible to avoid problems. OpenBSD also supplies recent versions of many popular applications -- the Chromium and Firefox browsers, for instance -- meaning there's less need to use the Linux compatibility layer to get work done.

OpenBSD has also ditched the systrace system policy-enforcement tool for the sake of security. Previous versions of OpenBSD included it, but didn't actually employ it for anything crucial. Systrace has been regarded for some time as insecure, so it's been dropped from the base OpenBSD distribution.

The removal of the "usermount" option, which if enabled allowed nonprivileged users to mount filesystems, is yet another security enhancement. OpenBSD project lead Theo de Raadt stated that usermount "allows any non-pledged program to call the mount/umount system calls," meaning "there is no way any user can be expected to keep their system safe/reliable with this feature."

The previous release of OpenBSD -- version 5.9, which emerged at the end of March -- provided a number of major security improvements of its own. The sudo tool for running programs as a privileged user was replaced with doas, which has a simpler and potentially less problematic configuration mechanism. A change this radical would have been far more difficult to implement in the Linux world, but OpenBSD prides itself on making efforts to keep its codebase modern.

Copyright © 2016 IDG Communications, Inc.

How to choose a low-code development platform