Annotation of www/33.html, Revision 1.62
1.54 bentley 1: <!doctype html>
2: <html lang=en id=release>
3: <meta charset=utf-8>
4:
1.36 deraadt 5: <title>OpenBSD 3.3</title>
1.1 miod 6: <meta name="description" content="OpenBSD 3.3">
1.47 tb 7: <meta name="viewport" content="width=device-width, initial-scale=1">
8: <link rel="stylesheet" type="text/css" href="openbsd.css">
1.50 tb 9: <link rel="canonical" href="https://www.openbsd.org/33.html">
1.1 miod 10:
1.54 bentley 11: <h2 id=OpenBSD>
1.1 miod 12: <a href="index.html">
1.54 bentley 13: <i>Open</i><b>BSD</b></a>
14: 3.3
1.47 tb 15: </h2>
1.1 miod 16:
1.54 bentley 17: <table>
18: <tr>
19: <td>
1.5 deraadt 20: <a href="images/Barbarian.gif">
1.62 ! deraadt 21: <img width="255" height="343" src="images/Barbarian.gif" alt="Barbarian"></a>
1.1 miod 22:
1.54 bentley 23: <td>
1.1 miod 24: Released May 1, 2003<br>
25: Copyright 1997-2003, Theo de Raadt.<br>
1.54 bentley 26: <cite class=isbn>ISBN 0-9731791-1-2</cite>
1.32 deraadt 27: <br>
1.44 deraadt 28: 3.3 Song: <a href="lyrics.html#33">"Puff the Barbarian"</a>
1.53 deraadt 29: <br>
30: <br>
1.1 miod 31: <ul>
1.59 deraadt 32: <li>See the information on <a href="ftp.html">the FTP page</a> for
1.1 miod 33: a list of mirror machines.
1.54 bentley 34: <li>Go to the <code class=reldir>pub/OpenBSD/3.3/</code> directory on
1.1 miod 35: one of the mirror sites.
1.31 david 36: <li>Have a look at <a href="errata33.html">The 3.3 Errata page</a> for a list
1.1 miod 37: of bugs and workarounds.
1.14 deraadt 38: <li>See a <a href="plus33.html">detailed log of changes</a> between the
1.1 miod 39: 3.2 and 3.3 releases.
40: </ul>
1.48 tb 41: <p>
1.47 tb 42: All applicable copyrights and credits are in the src.tar.gz,
43: sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
1.58 deraadt 44: files fetched via <code>ports.tar.gz</code>.
1.54 bentley 45: </table>
1.1 miod 46:
1.47 tb 47: <hr>
1.54 bentley 48:
49: <section id=new>
50: <h3>What's New</h3>
1.1 miod 51: <p>
1.47 tb 52: This is a partial list of new features and systems included in OpenBSD 3.3.
1.18 deraadt 53: For a comprehensive list, see the <a href="plus33.html">changelog</a> leading
1.1 miod 54: to 3.3.
55: <p>
56:
57: <ul>
58: <li>Integration of the
1.30 david 59: <a href="http://www.research.ibm.com/trl/projects/security/ssp/">ProPolice</a>
1.26 deraadt 60: stack protection technology, by Hiroaki Etoh, into the system
61: compiler. This protection is enabled by default. With this change,
62: function prologues are modified to rearrange the stack: a random
63: canary is placed before the return address, and buffer variables are
64: moved closer to the canary so that regular variables are below, and
65: harder to smash. The function epilogue then checks if the canary is
66: still intact. If it is not, the process is terminated. This change
67: makes it very hard for an attacker to modify the return address used
68: when returning from a function.
1.2 deraadt 69: <p>
1.1 miod 70:
1.22 deraadt 71: <li>W^X (pronounced: "W xor X") on architectures capable of
1.10 deraadt 72: pure execute-bit support in the MMU (sparc, sparc64, alpha,
73: hppa). This is a fine-grained memory permissions layout, ensuring that
74: memory which can be written to by application programs can not be
1.22 deraadt 75: executable at the same time and vice versa. This raises the bar on
76: potential buffer overflows and other attacks: as a result, an attacker
77: is unable to write code anywhere in memory where it can be executed.
1.26 deraadt 78: (NOTE: i386 and powerpc do not support W^X in 3.3; however, 3.3-current
79: already supports it on i386, and both these processors are expected to
1.47 tb 80: support this change in 3.4).
1.1 miod 81: <p>
82:
1.2 deraadt 83: <li>Still more reduction in setuid and setgid binaries, and more chroot
1.22 deraadt 84: use throughout the system. While some programs are still setuid or
85: setgid, almost all of them grab a resource and then quickly revoke
86: privilege.
1.1 miod 87: <p>
88:
1.22 deraadt 89: <li>The X window server and xconsole now use privilege separation,
90: for better security. Also, xterm has been modified to do privilege
91: revocation. xdm runs as a special user and group, to further constrain
92: what might go wrong.
1.1 miod 93: <p>
94:
95: <li>As usual, improvements to the documentation, notably the man pages and
1.7 jsyn 96: the Web FAQ. An increasingly large part of the website is available in several
1.1 miod 97: languages.
98: <p>
99:
100: <li>More complete collection and better tested set of "ports".
101: setuid/setgid ports have been significantly reduced as well. Many of the
102: ones that remain setuid have been modified to revoke privileges as early
103: as possible.
104: <p>
105:
106: <li>Over 2000 pre-built and tested packages.
107: <p>
108:
109: <li>Significant improvements to the pthread library.
110: <p>
111:
112: <li>An incredible amount of enhancements and stability improvements to
113: our packet filter, <a
1.54 bentley 114: href="https://man.openbsd.org/pf.4">pf</a>,
1.8 henning 115: including:
1.1 miod 116: <ul>
1.17 deraadt 117: <li>Queue, a bandwidth management system (uses altq underneath)
1.47 tb 118: <li>Anchors, allowing subrulesets which can be loaded and modified independently
1.17 deraadt 119: <li>Tables, a very efficient way for large address lists in rules
120: <li>Address pools, redirect/NAT to multiple addresses and thus load balancing
121: <li>Configuration language has been made much more flexible
122: <li>TCP window scaling support
123: <li>Full CIDR support
124: <li>Early checksum verification return on invalid packets
125: <li>Performance boost: large rulesets load much faster now
1.54 bentley 126: <li><a href="https://man.openbsd.org/spamd">spamd</a>,
1.22 deraadt 127: a spam deferral daemon, which SMTP connections can be redirected to.
128: This daemon handles connections based on black lists and white lists,
129: tar-pits the connections, and ensures that the spammer knows why their
130: mail has not been accepted.
1.1 miod 131: </ul>
1.11 jason 132:
133: <p>
134:
135: <li>Much improved <a href="sparc64.html">sparc64</a> support: support for
1.13 miod 136: more models and several major bugs eradicated.
1.8 henning 137:
1.1 miod 138: <p>
139:
140: <li>The system includes the following major components from outside suppliers:
141: <ul>
142: <li>XFree86 4.2.1 (and i386 contains 3.3.X servers also, thus providing support for all chipsets)
1.4 miod 143: <li>Gcc 2.95.3 (+ patches)
144: <li>Perl 5.8.0 (+ patches)
1.3 henning 145: <li>Apache 1.3.27, mod_ssl 2.8.12, DSO support (+ patches)
1.1 miod 146: <li>OpenSSL 0.9.7beta3 (+ patches)
1.4 miod 147: <li>Groff 1.15
1.24 miod 148: <li>Sendmail 8.12.9
1.4 miod 149: <li>Bind 9.2.2 (+ patches)
1.23 margarid 150: <li>Lynx 2.8.2rel.1 with HTTPS support added (+ patches)
1.4 miod 151: <li>Sudo 1.6.7
152: <li>Ncurses 5.2
1.1 miod 153: <li>Latest KAME IPv6
1.12 hin 154: <li>KTH Kerberos 1.1.1
1.1 miod 155: <li>Heimdal 0.4e (+ patches)
156: <li>OpenSSH 3.6
157: </ul>
158: <p>
159:
160: <li>Many improvements for security and reliability (look for the red
1.18 deraadt 161: print in the <a href="plus33.html">complete changelog</a>).
1.1 miod 162: <p>
1.11 jason 163: <li> and much more.
164:
1.1 miod 165: </ul>
1.54 bentley 166: </section>
1.1 miod 167:
168: <hr>
1.54 bentley 169:
170: <section id=install>
171: <h3>How to install</h3>
172:
1.1 miod 173: <p>
174: Following this are the instructions which you would have on a piece of
175: paper if you had purchased a CDROM set instead of doing an alternate
176: form of install. The instructions for doing an ftp (or other style
177: of) install are very similar; the CDROM instructions are left intact
178: so that you can see how much easier it would have been if you had
179: purchased a CDROM instead.
180: <p>
181:
182: <hr>
1.15 drahn 183: Please refer to the following files on the three CDROMs or ftp mirror for
184: extensive details on how to install OpenBSD 3.3 on your machine:
1.1 miod 185: <p>
186: <ul>
1.56 deraadt 187: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/i386/INSTALL.i386">
188: .../OpenBSD/3.3/i386/INSTALL.i386 (on CD1)</a>
1.15 drahn 189: <p>
1.56 deraadt 190: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/macppc/INSTALL.macppc">
191: .../OpenBSD/3.3/macppc/INSTALL.macppc (on CD2)</a>
192: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/vax/INSTALL.vax">
193: .../OpenBSD/3.3/vax/INSTALL.vax (on CD2)</a>
194: <p>
195: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/sparc/INSTALL.sparc">
196: .../OpenBSD/3.3/sparc/INSTALL.sparc (on CD3)</a>
197: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/sparc64/INSTALL.sparc64">
198: .../OpenBSD/3.3/sparc64/INSTALL.sparc64 (on CD3)</a>
199: <p>
200: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/alpha/INSTALL.alpha">
201: .../OpenBSD/3.3/alpha/INSTALL.alpha</a>
202: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/hp300/INSTALL.hp300">
203: .../OpenBSD/3.3/hp300/INSTALL.hp300</a>
204: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/hppa/INSTALL.hppa">
205: .../OpenBSD/3.3/hppa/INSTALL.hppa</a>
206: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/mac68k/INSTALL.mac68k">
207: .../OpenBSD/3.3/mac68k/INSTALL.mac68k</a>
208: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/mvme68k/INSTALL.mvme68k">
209: .../OpenBSD/3.3/mvme68k/INSTALL.mvme68k</a>
1.1 miod 210: </ul>
1.56 deraadt 211: </section>
212:
1.1 miod 213: <hr>
214:
1.54 bentley 215: <section id=quickinstall>
216:
1.1 miod 217: <p>
218: Quick installer information for people familiar with OpenBSD, and the
219: use of the "disklabel -E" command. If you are at all confused when
220: installing OpenBSD, read the relevant INSTALL.* file as listed above!
1.54 bentley 221:
222: <h3>OpenBSD/i386:</h3>
223:
1.1 miod 224: <p>
225: Play with your BIOS options to enable booting from a CD. The OpenBSD/i386
226: release is on CD1. If your BIOS does not support booting from CD, you will need
227: to create a boot floppy to install from. To create a boot floppy write
228: <i>CD1:3.3/i386/floppy33.fs</i> to a floppy and boot via the floppy drive.
229:
230: <p>
231: Use <i>CD1:3.3/i386/floppyB33.fs</i> instead for greater scsi controller
232: support, or <i>CD1:3.3/i386/floppyC33.fs</i> for better laptop support.
233:
234: <p>
235: If you are planning on dual booting OpenBSD with another OS, you will need to read the included INSTALL.i386 document.
236:
237: <p>
238: To make a boot floppy under MS-DOS, use the "rawrite" utility located
1.54 bentley 239: at <i>CD:/3.3/tools/rawrite.exe</i>. To make the boot floppy under a Unix OS, use the <a href="https://man.openbsd.org/dd.1">dd(1)</a> utility. The following is an example usage of <a href="https://man.openbsd.org/dd.1">dd(1)</a>, where the device could be "floppy", "rfd0c", or "rfd0a".
1.1 miod 240:
1.54 bentley 241: <blockquote><pre>
1.56 deraadt 242: # <kbd>dd if=<file> of=/dev/<device> bs=32k</kbd>
1.54 bentley 243: </pre></blockquote>
1.1 miod 244:
245: <p>
1.49 tj 246: Make sure you use properly formatted perfect floppies with NO BAD BLOCKS or your install will most likely fail. For more information on creating a boot floppy and installing OpenBSD/i386 please refer to <a href="faq/faq4.html#MkFlop">this page</a>.
1.54 bentley 247:
248: <h3>OpenBSD/macppc:</h3>
1.1 miod 249:
250: <p>
251: Put the CD2 in your CDROM drive and poweron your machine while holding down the
252: <i>C</i> key until the display turns on and shows <i>OpenBSD/macppc boot</i>.
253:
254: <p>
255: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
256: /3.3/macppc/bsd.rd</i>
1.54 bentley 257:
258: <h3>OpenBSD/vax:</h3>
1.1 miod 259:
260: <p>
261: Boot over the network via mopbooting as described in INSTALL.vax.
1.54 bentley 262:
263: <h3>OpenBSD/sparc:</h3>
1.1 miod 264:
265: <p>
266: The 3.3 release of OpenBSD/sparc is located on CD3. To boot off of this CD you can use one of the two commands listed below, depending on the version of your ROM.
267:
1.54 bentley 268: <blockquote><pre>
269: > <kbd>boot cdrom 3.3/sparc/bsd.rd</kbd>
1.1 miod 270: or
1.54 bentley 271: > <kbd>b sd(0,6,0)3.3/sparc/bsd.rd</kbd>
272: </pre></blockquote>
1.1 miod 273:
274: <p>
275: If your sparc does not have a CD drive, you can alternatively boot from floppy.
1.49 tj 276: To do so you need to write "CD3:3.3/sparc/floppy33.fs" to a floppy. For more information see <a href="faq/faq4.html#MkFlop">this page</a>. To boot from the floppy use one of the two commands listed below, depending on the version of your ROM.
1.1 miod 277:
1.54 bentley 278: <blockquote><pre>
279: > <kbd>boot floppy</kbd>
1.1 miod 280: or
1.56 deraadt 281: > <kbd>boot fd()</kbd>
1.54 bentley 282: </pre></blockquote>
1.1 miod 283:
284: <p>
285: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.
286:
287: <p>
288: If your sparc doesn't have a floppy drive nor a CD drive, you can either
289: setup a bootable tape, or install via network, as told in the
290: INSTALL.sparc file.
1.54 bentley 291:
292: <h3>OpenBSD/sparc64:</h3>
1.1 miod 293:
294: <p>
295: Put the CD3 in your CDROM drive and type <i>boot cdrom</i>.
296:
297: <p>
298: If this doesn't work, or if you don't have a CDROM drive, you can write
299: <i>CD3:3.3/sparc64/floppy33.fs</i> to a floppy and boot it with <i>boot
300: floppy</i>.<br>
301: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.
302:
303: <p>
304: You can also write <i>CD3:3.3/sparc64/miniroot33.fs</i> to the swap partition on
305: the disk and boot with <i>boot disk:b</i>.
306:
307: <p>
308: If nothing works, you can boot over the network as described in INSTALL.sparc64
1.54 bentley 309:
310: <h3>OpenBSD/alpha:</h3>
1.1 miod 311:
312: <p>
1.56 deraadt 313: Write <i>3.3/alpha/floppy33.fs</i> or
314: <i>3.3/alpha/floppyB33.fs</i> (depending on your machine) to a diskette and
1.15 drahn 315: enter <i>boot dva0</i>. Refer to INSTALL.alpha for more details.
316:
317: <p>
318: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.
319:
1.54 bentley 320: <h3>OpenBSD/hp300:</h3>
1.15 drahn 321:
322: <p>
323: Boot over the network by following the instructions in INSTALL.hp300.
324:
1.54 bentley 325: <h3>OpenBSD/hppa:</h3>
326:
1.28 miod 327: <p>
328: Boot over the network by following the instructions in INSTALL.hppa or the
329: <a href="hppa.html#netboot">hppa platform page</a>.
330:
1.54 bentley 331: <h3>OpenBSD/mac68k:</h3>
332:
1.15 drahn 333: <p>
334: Boot MacOS as normal and partition your disk with the appropriate A/UX
335: configurations. Then, extract the Macside utilities from
1.56 deraadt 336: <i>3.3/mac68k/utils</i> onto your hard disk. Run Mkfs to create your
1.15 drahn 337: filesystems on the A/UX partitions you just made. Then, use the
1.56 deraadt 338: "BSD/Mac68k Installer" to copy all the sets in <i>3.3/mac68k/</i> onto your
1.25 nick 339: partitions. Finally, you will be ready to configure the "BSD/Mac68k
340: Booter" with the location of your kernel and boot the system.
1.15 drahn 341:
1.54 bentley 342: <h3>OpenBSD/mvme68k:</h3>
343:
1.15 drahn 344: <p>
345: You can create a bootable installation tape or boot over the network.<br>
346: The network boot requires a MVME68K BUG version that supports the <i>NIOT</i>
347: and <i>NBO</i> debugger commands. Follow the instructions in INSTALL.mvme68k
348: for more details.
1.56 deraadt 349: </section>
1.54 bentley 350:
1.56 deraadt 351: <hr>
1.54 bentley 352:
353: <section id=sourcecode>
1.56 deraadt 354: <h3>Notes about the source code</h3>
1.15 drahn 355: <p>
1.58 deraadt 356: <code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
357: This file contains everything you need except for the kernel sources, which are
1.1 miod 358: in a separate archive. To extract:
1.54 bentley 359: <blockquote><pre>
360: # <kbd>mkdir -p /usr/src</kbd>
361: # <kbd>cd /usr/src</kbd>
362: # <kbd>tar xvfz /tmp/src.tar.gz</kbd>
363: </pre></blockquote>
1.1 miod 364: <p>
1.58 deraadt 365: <code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
1.1 miod 366: This file contains all the kernel sources you need to rebuild kernels.
367: To extract:
1.54 bentley 368: <blockquote><pre>
369: # <kbd>mkdir -p /usr/src/sys</kbd>
370: # <kbd>cd /usr/src</kbd>
1.56 deraadt 371: # <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
1.54 bentley 372: </pre></blockquote>
1.1 miod 373: <p>
374: Both of these trees are a regular CVS checkout. Using these trees it
375: is possible to get a head-start on using the anoncvs servers as
1.18 deraadt 376: described <a href="anoncvs.html">here</a>.
1.1 miod 377: Using these files
378: results in a much faster initial CVS update than you could expect from
379: a fresh checkout of the full OpenBSD source tree.
1.54 bentley 380: </section>
381:
1.1 miod 382: <hr>
1.54 bentley 383:
384: <section id=ports>
385: <h3>Ports Tree</h3>
1.1 miod 386: <p>
387: A ports tree archive is also provided. To extract:
1.54 bentley 388: <blockquote><pre>
389: # <kbd>cd /usr</kbd>
390: # <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
391: </pre></blockquote>
1.1 miod 392: <p>
393: The <i>ports/</i> subdirectory is a checkout of the OpenBSD ports tree. Go
1.34 jasper 394: read the <a href="faq/faq15.html">ports</a> page
1.1 miod 395: if you know nothing about ports
396: at this point. This text is not a manual of how to use ports.
397: Rather, it is a set of notes meant to kickstart the user on the
398: OpenBSD ports system.
399: <p>
400: Certainly, the OpenBSD ports system is not complete. It is doubtful it
401: will ever be. However, it is growing very fast and getting more stable.
402: Almost all ports provided with this release should build without problems
403: on most architectures (over 2000 packages build on i386, for instance).
404: <p>
1.47 tb 405: The <i>ports/</i> directory represents a CVS (see the manpage for
1.57 bentley 406: <a href="https://man.openbsd.org/cvs.1">cvs(1)</a> if
1.47 tb 407: you aren't familiar with CVS) checkout of our ports. As with our complete
1.1 miod 408: source tree, our ports tree is available via anoncvs. So, in
409: order to keep current with it, you must make the <i>ports/</i> tree
410: available on a read-write medium and update the tree with a command
411: like:
1.54 bentley 412: <blockquote><pre>
1.56 deraadt 413: # <kbd>cd [portsdir]/; cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_3_3</kbd>
1.54 bentley 414: </pre></blockquote>
1.1 miod 415: <p>
416: [Of course, you must replace the local directory and server name here
417: with the location of your ports collection and a nearby anoncvs
418: server.]
419: <p>
1.56 deraadt 420: Note that most ports are available as packages on our mirrors. Updated
1.1 miod 421: packages for the 3.3 release will be made available if problems arise.
422: <p>
423: If you're interested in seeing a port added, would like to help out, or just
1.56 deraadt 424: would like to know more, the mailing list
425: <a href="mail.html">ports@openbsd.org</a> is a good place to know.
1.54 bentley 426: </section>