Annotation of www/plus.html, Revision 1.39
1.14 deraadt 1: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML Strict//EN">
2: <html>
3: <head>
4: <title>OpenBSD changes</title>
5: <link rev=made href=mailto:www@openbsd.org>
6: <meta name="resource-type" content="document">
7: <meta name="description" content="the main OpenBSD page">
8: <meta name="keywords" content="openbsd,main">
9: <meta name="distribution" content="global">
10: <meta name="copyright" content="This document copyright 1996 by OpenBSD, Inc.">
11: </head>
12:
13: <body>
14:
15: <h1>OpenBSD</h1>
16: <hr>
17: <h3>Changes Relative to other *BSD's.</h3>
18:
19: <p>
1.29 deraadt 20: The OpenBSD project was spawned from NetBSD (ie. a member of the
21: 4.4BSD family) and is developed seperately. As well as developments
22: by our development group, good changes from the other free operating
23: systems are evaluated and merged into OpenBSD (of course, depending on
24: various factors like developer time for example.) OpenBSD tracks bug
25: reports and source tree changes from the NetBSD and FreeBSD projects
26: fairly closely. Even pieces of code from the Linux projects have been
27: used.
1.14 deraadt 28:
29: <p>
1.29 deraadt 30: In the early days of OpenBSD, it was possible to be able to say
31: "OpenBSD is NetBSD <b>PLUS MORE STUFF</b>" Now, after substantial
1.30 deraadt 32: work OpenBSD is very much is it's own thing. Too much stuff has been
1.29 deraadt 33: added and fixed. OpenBSD is OpenBSD.
34:
35: <p>
36: This is a partial list of the major machine independent changes
37: (ie. these are the changes people ask about most often). Port
38: specific changes have also been made, and are sometimes mentioned
39: in the pages for the specific <a href=plat.html>ports</a> if you
40: are interested in for further port-specific details. Many ports
41: have had architecture-specific enhancements relative to NetBSD,
42: but when they do not they certainly have plenty of platform-independent
43: changes, starting with those listed below..
1.14 deraadt 44:
1.17 deraadt 45: <p>
46: <h3>Life for the OpenBSD project begins...</h3>
47: <p>
1.14 deraadt 48: <ul>
49: <li>Many many NetBSD PR's fixed (which NetBSD has not yet fixed)
50: <li>New curses library, including libform, libpanel and libmenu.
51: <li>a termlib library which understands termcap.db, needed for new curses.
52: <li>The FreeBSD ports subsystem was integrated and is usable by you!
1.35 kstailey 53: <li>ipfilter for filtering dangerous packets and Network Address Translation
54: for IP masquerading.
1.14 deraadt 55: <li>better ELF support
56: <li>nlist() that understands ELF, ECOFF, and a.out, allowing non-a.out ports
57: to use kvm utilies
58: <li>Verbatim integration of the GNU tools (using a wrapper Makefile)
59: <li>All the pieces needed for cross compilation are in the source tree.
60: <li>Some LKM support in the tree.
61: <li>ATAPI support (should work on all ISA busses)
62: <li>new scsi, md5, pkg_* commands
63: <li>Numerous security related fixes
64: <li>Kerberos and other crypto in the source tree that is exportable
65: <li>Solid YP master, server, and client capabilities.
66: <li>/dev/*random -- a device driver providing some kinds of random data
67: <li>In-kernel update(8) with an adaptive algorithm
68: <li>Some ddb improvements and extensions
69: <li>Numerous scsi fixes
70: <li>ncheck utility for ffs
71: <li>/sbin/init now deals with non-existant ttys, no longer spins gettys madly.
72: <li>new system calls: rfork(), minherit(), poll().
73: <li>select() that can handle any amount of file descriptors.
74: <li>kernfs extensions
75: <li>ATM support (support for one company's sparc & i386 cards available)
76: <li>Boot kernels with "-c" to edit/enable/disable device configuration tables
77: <li>pax as tar, gnutar is toast
78: <li>using AT&T awk, gawk is toast
79: <li>Even more security fixes.
80: <li>Accepts FreeBSD MD5 passwords in password maps, soon will be able to
81: generate them too
82: <li>Linux ext2fs and BSD4.4 LFS support being worked on.
83: <li>Working ATAPI audio support for multiple architectures.
84: <li>terminfo database support.
85: <li>Fortran in the tree.
86: <li>The most secure rdist support anywhere.
87: <li>randomized port allocation in bind(), bindresvport(), and rresvport() --
88: security via unpredictability.
89: <li>Protection from the udp spamming and ftp bounce attacks.
90: <li>Significantly improved ftp daemon.
91: <li>Numerous more security policy and implimentation improvements (OpenBSD
92: defaults to installing in a very secure mode)
93: <li>zlib (non-GPL'd gzip-compatible library)
94: <li>Newest version of pppd.
95: <li>_POSIX_SAVED_IDS behaviour with permitted BSD extensions.
96: <li>Fixed long-standing vm swap-leak.
97: <li>FreeBSD malloc() that uses mmap() and is able to free unused memory.
98: <li>Numerous FreeBSD userland fixes and improvements incorporated.
99: <li>new rdisc Router Discovery daemon
100: <li>generic protection against the bind() takeover problem.
101: <li>at -f security fix.
102: <li>20 or so more security fixes
103: <li>install now supports -C, -p, and -S flags.
104: <li>a real adduser program, which can even be used uninteractively.
105: <li>POSIX & C2 requirement; lose setuid/setgid bits if owner/group changed
106: by chown(). This can be turned off with sysctl.
107: <li>partial protection against tcp SYN attacks.
108: <li>added /etc/fbtab support to login & init.
109: <li>RCS version 5.7
110: <li>much newer join command (4.4lite2 with other fixes)
111: <li>scsi subsystem security fix
112: <li>Kerberos is much more silent if not configured
113: <li>arc4-based random support in kernel
114: <li>ncr53cXXX scsi scripts assembler
115: <li>Numerous ftpd improvements and fixes, including multihomed and skey support.
116: <li>`lsof'-style features in fstat.
117: <li>rudimentary support for ISA Plug-and-Play cards
118: <li>Fixed timeout support in RPC library, and also fixed it to support more
119: than FD_SETSIZE file descriptors.
120: <li>improved locate command
121: <li>a good start at NETIPX support
122: <li>vim version 4.5
123: <li>gcc 2.7.2.1 (to get closer to native alpha support ar gcc
124: bugs).
125: <li>latest version of perl, and a lndir command.
126: <li>Even more security fixes.
127: <li>cdio command for using CD audio.
128: <li>Kernel warns f /dev/ces not ebooting ated /de<li>libgis gone; our malloc() is better.
129: <li>FreeBSD pipe() system call; quite a bit faster.
130: <li>Some serial driver support for /dev/cuaXX devices to support transparent
131: out+dial
132: <li>DDcess symrom LKM es
133: <li>Say goodbye to dump, restore, and mt security holes: They are no longer
134: setuid.
135: <li>*Hobbit*'s netcat utility. The crackers use it, so should you.
136: <li>New routed from SGI.
137: <li>Complete in-tree development for MIPS/Alpha systems (ie. binutils).
138: <li>ftp command modified for easily scripted ftp & http downloads.
139: <li>And of course... more security related bugfixes... (ie. dump,
140: restore, mt).
141: <li>vim is replacing nvi, since nvi does not have a pure BSD license, and vim
142: also works better.
143: <li>16 partitions working on sparc and i386 (yipee!)
144: <li>Nice sample files in /etc
145: <li>sendmail gecos hole fixed (in a number of ways; other programs in the
146: source tree were also vulnerable.)
147: <li>secure multicast tools against possible security problems.
148: <li>latest GNU groff, incorporated in a clean wrapperized form.
149: <li>mopd for networking booting Digital machines
150: <li>less version 2.90
151: <li>deal with the SYN bomb problem (denial of service attack) as well known.
152: <li>Another kerberos security fix.
153: <li>Almost a hundred more security fixes, including /tmp races because of strncpy.
154: <li>Compile time option to compile the source tree almost completely dynamic.
155: <li>A 7% reduction in size of static binaries.
156: <li>FreeBSD's adduser(8) command. Also an rmuser(8) command.
157: <li>We have completed security reviews of almost all userland programs and
158: libraries except for the gnu stuff (where, based on preliminary
159: inspection there is poor handling of temp files).
160: <li>Working Linux ext2fs.
161: <li>Added sudo (which is maintained by one of our developers)
162: <li>CTM is now a supported way of obtaining OpenBSD source code.
1.17 deraadt 163: </ul>
164: <p>
165: <h3>OpenBSD 2.0 released.</h3>
166: <p>
1.15 deraadt 167: <ul>
1.14 deraadt 168: <li>The NIST Posix test suite became free. As a result we have been correcting
169: numerous problems in the source tree, and expect to be completely
170: POSIX compliant very soon.
171: <li>upgrade to CVS version 1.9.
172: <li>A number of security fixes to the way coredumping works.
173: <li>The /dev/*random devices are now default on all architectures.
174: <li>Add stack tracebacks to Arc port's kernel debugger.
175: <li>Skey revamped into full OTP (RFC1938) support, including sha1 and
176: md5 support.
177: <li>GPL i387 emulator added.
178: <li>Crank kvm space on the i386 port, also limit buffer cache useage
179: so that 512MB machines may work (untested :-)
180: <li>Numerous fixes to the lpr suite, including security.
181: <li>More ftpd raging paranoia security fixes.
182: <li>The NIST suite showed numerous errors in libraries and the kernel.
183: Only a few small errors remain now, mostly regarding serial
184: ports.
185: <li>In numerous utilities: prefer $LOGNAME, but also accept $USER.
186: <li>OLF binary type added. This is like ELF, but includes an OS-dependent
187: tag. elf2olf(1) converts an elf binary to a tagged OLF binary which
188: the kernel can recognize correctly.
189: <li>Beware $HOME overflows throughout the source tree.
190: <li>Integration of the pmax port.
191: <li>Import of ctm.
192: <li>Various repairs to the scsi scanner support.
193: <li>Numerous more difficult-to-exploit-but-possible-if-someone-really-wanted-to
194: buffer overflows found in system utilities..
195: <li>Memory leak paranoia in cron.
196: <li>Make login get more consistantly upset about failed logins, and tell user
197: about these failures at the next successfull login.
198: <li>pdksh version is now 5.2.11
199: <li>New bsd.*.mk feature: DEBUG=-g. Try it, you'll like it.
200: <li>The Arc port family has a new member: The rPC44 works!
201: <li>lpt driver is now bus-independent.
202: <li>com driver is now bus-independent.
203: <li>Numerous small security fixes again...
204: <li>Use pdksh as our /bin/sh. This provides excellent POSIX compliance.
205: <li>Prevent generic users from mounting filesystems by default.
206: <li>Added -C option to pax/tar. Also made -z support compressed files too.
207: <li>Increased compatibility in the pccons driver with BSDi features.
208: <li>Imported FreeBSD's calendar.
209: <li>GNU gdb works on the mips-based platforms.
210: <li>Add FreeBSD md5 diffs to mtree(8). This can be used to implement a
211: tripwire-like system.
212: <li>Some YP and bootparamd security changes.
213: <li>Hundreds of little fixes all over the place.
214: <li>Multiple updates for GNU software
215: <li>Add disklabels to the floppy device drivers.
216: <li>At boottime, have (*mountroot)() look at the root device's disklabel
217: to determine which filesystem type is to be mounted.
218: <li>If disklabel reading code discovers an ISOFS filesystem underlying,
219: spoof a nice disklabel (enough to fool mountroot).
220: <li>tcpdump 3.3
221: <li>Fix information gathering attack in ping(8).
222: <li>Add NetBSD's "route show" implementation, and at the samet time fix
223: the new buffer overflows that this provided.
224: <li>Fix a few setgroups() related security holes.
225: <li>sendmail 8.8.4
226: <li>texinfo 3.9
227: <li>f77 0.5.19
228: <li>Repair some more KerberosIV buffer overflows. Hard to believe this is
229: supposed to be security software.
230: <li>Add XCASE/IUCLC/OLCUC/OCRNL/ONOCR/ONLRET tty subsystem flags for
231: backwards compatibility.
232: <li>Permit NFS attribute cache to be configured on a per-mount basis.
233: <li>Properly split fsck, mount, and newfs into multiple pieces. Use
234: disklabel information if it is available.
235: <li>Add disklabels to the vnd device driver.
236: <li>Change the games to be run setgid games, not setuid games. This closes
237: a whole slew of fascinating security holes.
238: <li>Import of the powerpc port.
239: <li>Properly use _POSIX_SAVED_IDS throughout the source tree.
240: <li>Permit building of kernels without a.out support.
241: <li>ppp 2.3b3
242: <li>libcrypt goes away. We do not need this stub library anymore. Do not link
243: against it on OpenBSD, all the pieces you need are in libc.
1.18 deraadt 244: <li>new aucat command.
245: <li>Fix a fairly nasty security hole in all of the games.
1.20 downsj 246: <li>Support for the <a href="hp300.html">hp300</a> added.
247: <li>Upgrade of awk(1), integration of BSD tsort(1), getopt fixes.
248: <li>Sendmail upgraded to version 8.8.5.
1.21 downsj 249: <li>Added lchown(2) for compatibility with SVR4 implementations.
1.23 deraadt 250: <li>New gnu cpio 2.4.2
251: <li>Support lchown(2) in dump(8), cp(1), pax(1), cpio(1), chown(8), and
252: restore(8).
253: <li>No buffer lengths in fmt(1).
254: <li>various adjtime() corrections inside the kernel.
255: <li>Prevent stat() from disclosing inode generation numbers to non-root userland.
256: <li>pax in tar mode will understand multiple -v options to generate ls-like output.
257: <li>Repair many uses of the SIOCGIFCONF code for machines with an outrageous
258: number of network interfaces.
1.22 deraadt 259: <li>More kerberosIV security patches.
260: <li>A working fsirand.
1.28 deraadt 261: <li>Completely in-tree <a href="ppc.html">PowerPC</a> port for non-Apple
262: hardware. This port requires nothing outside the in-tree development
263: environment to build (except mkisofs for building distributions).
264: <li>Some ypbind(8) tightening up, includes a method to specify a list of
265: valid servers
1.25 niklas 266: <li>Bug fixed that prevented bufpages/nbuf > 1 setups. This allows large
267: buffer caches even when available kvm space is low, like for i386
268: & sparc.
1.26 deraadt 269: <li>Changed netinet IP_HDRINCL option to require ip_len and ip_off in network
270: byte order. This is a compatibility/portability fix and we expect
271: other BSD systems to eventually follow suit.
272: <li>amd (the automounter) is now 64-bit and working on the alpha.
273: <li>The <a href="alpha.html">Alpha</a> port and all it's utilities now compiles
274: using in-tree versions of all tools. Yipee!
1.34 deraadt 275: <li>A SA_SIGINFO implementation for sigaction() and signal handlers. This is a
276: small part of POSIX 1003.1b and permits the signal handler to figure
277: out the exact cause of a signal; such as fault address information
278: for SIGSEGV or more detailed information for SIGFPE.
1.31 downsj 279: <li>config.old(8) has been removed from the tree, as the <a href="hp300.html">
280: hp300</a> port switches to config(8).
1.32 deraadt 281: <li>/sbin/dump -a saves you from needing to deal with finicky tape length
282: options (from FreeBSD)
1.34 deraadt 283: <li>Added RFC-1812 ICMP unreachable codes to ip_icmp.h, traceroute, and ping.
1.36 deraadt 284: <li>Be more careful if some fool decides to enable source routing ;-)
285: <li>Support for gzip'd kernels in some bootblocks.
286: <li>New wgrisc port for Willowglen embedded r3081-based machine with ISA slots.
287: <li>Add cdev and partition support to the ramdisk driver.
288: <li>Merge new ftp(1) changes from NetBSD.
1.37 deraadt 289: <li>Change mktemp(3) and family to generate more random filenames, yet still
290: as collision free as possible.
291: <li>Have libc/rpc save you from yourself if you do enable source routing.
1.38 downsj 292: <li>The <a href="hp300.html">hp300</a> joins many other ports in supporting
293: 16 disk partitions.
1.39 ! deraadt 294: <li>IPF 1.3.7 which includes fully working NAT support (ie. IP masquerading).
! 295: <li>Use lots more XXXX characters in calls to the few remaining mktemp() calls
! 296: in the source tree. This cuts out a whole class of races.
! 297: <li>Improved NFS filehandle creation.
1.14 deraadt 298: </ul>
1.17 deraadt 299: <p>
300: <h3>Development is rapidly continuing...</h3>
301: <p>
1.14 deraadt 302:
303: This list only mentions platform-independent changes. For a list of changes
304: made in a particular platform, please check the page for that platform.<br><br>
305:
306: <hr>
307: <a href="index.html"><img src=back.gif border=0 alt=OpenBSD></a>
308: <a href=mailto:www@openbsd.org>www@openbsd.org</a>
1.39 ! deraadt 309: <br><small>$OpenBSD: plus.html,v 1.38 1997/02/10 01:52:06 downsj Exp $</small>
1.14 deraadt 310:
311: </body>
312: </html>