Front | Info | Lists | Newsfeeds | Study Guide | What is BSD? RSS  

Taking MicroBSD for a test run (Page 2)

By Jeremy C. Reed

Back to page 1:   Installing MicroBSD and What is MicroBSD?

Looking at MicroBSD

When booting all looked normal (like OpenBSD), but at the end of the kernel messages it said:
Stephanie: ACL: Trusted users list initialized.
Stephanie: k5: Binary integrity verification initialized.

The rest of the boot looked normal too. It created new DSA, RSA, and RSA1 host keys for ssh. And sendmail, inetd, sshd, cron and portmap were started.

When I logged in the MOTD said:

Welcome to MicroBSD: The proactively secure Unix-like operating system
And it suggested that you use sendbug(1) to report problems.

The installation had taken 160MB. So I looked around.

The virtual consoles were enabled by default. I could switch to other consoles with CTRL-ALT-F1 through F6 (but virtual console ttyC4 was off as /etc/ttys defined). Also, I was able to login to it as root via ssh. It is running SSH-1.99-OpenSSH_3.4.

I noticed that many binaries and plain text files had MicroBSD RCS keywords, but appeared to have OpenBSD revision numbers and OpenBSD developer usernames.

The Apache webserver worked fine, but the default image displayed "OpenBSD" (although it text alt was "MicroBSD"). It also linked to which didn't exist. And a nice "strong crypto" blowfish.jpg was available.

Testing special features

I ran /etc/weekly and the locate database was built. I couldn't find anything with it for "tephan", but "apropos tephan" returned:
k5ctl (8) - Stephanie: k5: Binary integrity verification control utility
sneekctl (8) - Stephanie:  Sneek:  execve()  logging control utility

I had a quick look at these manual pages and decided to give them a try.

# sneekctl show
Bad system call (core dumped)
GNU gdb told me:
Program terminated with signal 12, Bad system call.
#0  0x1e79 in ?? ()
#1  0x109c in ?? ()

Then I tried k5ctl for doing binary integrity verification.

# k5ctl list
Total entries in database: 0

Then I added a program to the kernel's k5 database:

# k5ctl add /bin/k5ctl     
# k5ctl info /bin/k5ctl  
Path: /bin/k5ctl (21523)
MD5 Checksum: 31df480e4a3ff9c01bcefccfad77e81e
Matches: 1
Mismatches: 1
Then I added /usr/bin/more and then replaced /usr/bin/more with /bin/cat. As expected, I couldn't run more(1) (or less or page) any more. And man(1) wouldn't work either (unless you use a different PAGER):
sh: /usr/bin/more: Permission denied
(I wonder if this is or can be logged? Or do you just have to use k5ctl info or list to see.)

So I deleted the k5ctl rule with: "k5ctl del /usr/bin/more". And I could use it (really cat) again. (Easy to fix: I just grabbed the ./usr/bin/{less,more,page} files from the base05.tgz file on the CD.)

Then I tried to learn about ldctl which is the Stephanie command for environment protection, but the manual was actually the sneekctl(1) manual. So I tried to get it to show the current status:

# ldctl s 
ldctl: sysctl: Operation not supported
ktrace told me:
 22642 ldctl    CALL  __sysctl(0xcfbfd974,0x2,0xcfbfd968,0xcfbfd96c,0,0)
 22642 ldctl    RET   __sysctl -1 errno 45 Operation not supported

Next, I tried getfacl(1) to output ACL information:

# getfacl /
Bad system call (core dumped)
(Note that the first hash mark was the shell prompt, the others were returned by getfacl.)

GDB said:

Program terminated with signal 12, Bad system call.
#0  0x2363 in ?? ()
#1  0x1b33 in ?? ()
#2  0x1d41 in ?? ()
#3  0x109c in ?? ()

Then I had a look at the acl(3) manual page. Its description begins with:

FreeBSD permits file systems to export Access Control Lists via the
VFS, and provides a library for userland access to and manipulation of
these ACLs.
The history said:
POSIX.1e support was introduced in FreeBSD 4.0; FreeBSD 5.0 was the
first version to include a complete ACL implementation based on extended
(And the manual page was labeled "MicroBSD 3.1" and dated "January 28, 2000".)

The setfacl(1) and getfacl(1) manual says that this extended attribute and access control list support was developed as part of the TrustedBSD Project and introduced in FreeBSD 5.0.

I tried the setfacl(1) tool following the examples found in the manual page. All three returned same "Bad system call (core dumped)".

Oh well. Maybe I have some hardware problems. I am glad the binary integrity checker (k5) worked. And I am interested in learning more about and using some of these features.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met ...

It is interesting to note that the most of this operating system is search-and-replace of another operating system. Generally this okay, due to the public domain, BSD and similar licensing. It would be nice if the ident/RCS tags reflected the real source of the revisions, though.

The developers of the OpenBSD project have worked hard at making sure that the code is clearly licensed and appropriate with conflicting licenses specifically located. They want their code to be able to be reused.

According to a MicroBSD developer posting at an OpenBSD Journal forum, they are still cleaning up, and hope to provide a simple way to provide easy-to-manage (with a web/console GUI) and secure servers out of the box.

Overall, it looks like MicroBSD is an interesting project. I see its best use is in getting more people and systems to use and test some of these new or special features. And maybe other operating systems can learn from any mistakes and/or successes and may integrate some of the code into their operating systems. (On that note, it appears that the 0.5 kernel sources are available for download.)

In the short time, I had to review the MicroBSD, I now have many questions:

  • Where is the FAQ? (Note that I asked their mailing list about the FAQ a couple weeks ago.)
  • Where is the documentation for the MicroBSD "intrusion detection"?
  • Where is the documentation for restricted symlinks?
  • Where is the documentation for environment stripping?
  • Where is the documentation for application stack hardening and protection?
  • Where is the documentation for network port ACLs?
  • Any userland (or kernel) code available via CVS?
  • What's up with these "Bad system calls"?
  • What is the official language for the MicroBSD project?
  • What is the official website for MicroBSD?


Discuss this article below.

system calls 179 and 281 - Jeremy C. Reed
MicroBSD Answers - OutBack Dingo
Stephanie & MicroBSD - Brian

system calls 179 and 281
Jeremy C. Reed - September 05, 2002 13:34:23
Just some more debugging on the bad system calls:

6472 sneekctl CALL #179 (unimplemented)

19824 getfacl CALL #281 (unimplemented sys_acl_get_file)

23088 setfacl CALL #281 (unimplemented sys_acl_get_file)

MicroBSD Answers
OutBack Dingo - September 05, 2002 23:14:36
Yes, we do have some cleaning to do, CVS is being worked on daily to make sure the 0.6 release due shortly is very clean, and all problems, anomolies found in 0.5 have been fixed in 0.6 thanks to some careful eyes in testing the releases. Granted it wasnt quite a search and replace, but alot of what needed to be modified ended up going backwards from 0.4 due to a stupid cvs mistake. :L all in all the 0.6 release is much different and alot more stable. sneek is not implemented in the kernel as of yet though the binary is in cvs. therefor it errors. The docs and all your other questens will be answered in 0.6 and all will be settled in by then. If you wish to forward me your email address ill give you a much greater break down. but right now we do lack coders so most of the work to get releases out is done by me.

Stephanie & MicroBSD
Brian - December 07, 2002 16:41:05
Little late, but anyway:

I'd just like to mention that the Stephanie "package" imported to the MicroBSD tree was the old, obsolete one. The import was NOT done by me, and any conflicts that could've been caused by conflicts with other kernel features MicroBSD imported (and there are plenty) are not flaws in Stephanie.

I've been talking with Dingo about this and to make sure that "Stephanie" in its current, rewritten version is implemented correctly in MicroBSD, I'm doing it myself -- or should I say, looking closely at how it's done.

Also, as for K5 -- I believe it's a good concept, but is still very premature. I'd rather see the NetBSD implementation of such a concept by Brett Lymn (who also *actively* maintaining it) imported to MicroBSD.





Stop Spam Abuse: What operating system's CVS history begins in March 1993?

BSD Links

· Advocacy
· Drivers
· Events
· Flavours
· FAQs
· Guides
· Programming
· Security
· Software
· User Groups

September 16, 2013 11:24:29

Front | Information | Lists | Newsfeeds | Study Guide