OpenBSD RFC :: Stuff That Matters

OpenBSD Request For Commit

I'm trying to present various changes to OpenBSD src tree that I consider usefull.
Most requests will be sent using OpenBSD ml and sometimes mailing directly to a developer.
Obviously RFC is a words-game to underline a request for changes via CVS.
Here the list:

RFC#1 - chmod pf.conf

Request to change /etc/pf.conf default permissions from 644 to 600.

This will prevent local user or webscript attacker to read PF ruleset. Note that at the moment this is the only way a normal user could gather information on PF ruleset, infact using pfctl need root permissions to open /dev/pf.

RFC#2 - startx

Request to modify /usr/X11R6/bin/startx to remove default XServer TCP bind.

By default XServer bind tcp port 6000+ for every display, this means that a localhost user could watch other users displays.
The best solution is to modify serverargs line with this value:

serverargs="-nolisten tcp"

This will bring a default closed XServer good for most workstations.

Obviously a Q+A should be added to FAQ8:

---------------------------------------------------------------------
Q: How could I start a X11 session on a remote OpenBSD system ?
A: Since OpenBSD 3.3 XServer doesn't bind any TCP port, to enable remote X11 sessions you have to modify /usr/X11R6/bin/startx removing options from the serverargs line:

serverargs=""

Take care to filter TCP 6000+ ports on loopback interface (lo0).
---------------------------------------------------------------------

RFC#3 - magic-jumps

Request to modify PF skip-steps code to upgrade to magic-jumps.

Currently PF uses skip-steps to move towards rules that couldn't match.
It uses to look for the next rule with a different value for the option that didn't match.
Example:

1) pass in quick on rl0 inet proto tcp from $ip1 port 80 to any
2) pass in quick on rl0 inet proto udp from $ip1 port 53 to any
3) pass in quick on rl0 inet proto udp from $ip2 port 514 to any
4) pass in quick on rl0 inet proto tcp from $ip2 port 25 to any
5) block in quick on rl0 all

Imagine a TCP packet going inside rl0 coming from $ip3.
PF evaluates the first rule, all parameters match up to the source address, which doesn't match. So the first rule is found not to match. The second rule is skipped, since it specifies the same mismatching source address and evaluation continues on rule #3.
Note that it's impossible for rule #3 to match because on rule #1 PF said that proto tcp was ok, how could it be udp ok now ?
This means that PF simply look at the not-matching-parameter.
Here magic-jumps play:
the trick is jumping to the next rule provided by skip-steps engine only if all parameters on the left are matchable with the original rule that didn't match.
Infact using this added check, PF will jump rule #3 because proto is changed (#1=tcp, #3=udp) and will jump to rule #4.
Obviously this is a small example, however magic-jumps could add some speed up even if ruleset aren't exactly skip-step-ordered.

RFC#4 - console beep

Request to disable console beep by default.

Most users disable keyboard bell just after the installation.
This is true for servers and workstations setup.
It's absolutely annoying.

To disable simply add this line to /etc/wsconsctl.conf:

keyboard.bell.pitch=0

This is a really good default setting...

RFC#5 - wget FTP

Request to set passive FTP by default in wget port.

Like /usr/bin/ftp and /usr/bin/lynx that use passive FTP by default, I think it could be a good default value also for wget port.
To change the configuration file during the build of port you have to "make" and after that modify the file /usr/ports/net/wget/w-wget-1.7p1/wget-1.7/doc/sample.wgetrc.
You should change the FTP line from:

#passive_ftp = off

to:

passive_ftp = on

After that you can go on with "make install" and you'll get the modified configuration file installed as /etc/wgetrc.

RFC#6 - syslogd

Request to add an option to avoid UDP port binding

By default OpenBSD syslogd keep opened UDP port 514 even if this is never used. Infact if you want to use the UDP port you'll have to edit /etc/syslogd.conf to accept remote logs or select a host where send logs.
Applying this small patch to -current version of syslogd.c a new option will be introduced: "-s" that doesn't bind any UDP port.

240c240
<       while ((ch = getopt(argc, argv, "dnuf:m:p:a:")) != -1)
---
>       while ((ch = getopt(argc, argv, "dnusf:m:p:a:")) != -1)
259a260,262
>               case 's':               /* don't bind udp input port */
>                       SecureMode = 2;
>                       break;
337c340,345
<       finet = socket(AF_INET, SOCK_DGRAM, 0);
---
> 
>       if ( SecureMode == 2 )
>         finet = -1;
>       else
>         finet = socket(AF_INET, SOCK_DGRAM, 0);
>         
475c483
<           "usage: syslogd [-dnu] [-f config_file] [-m mark_interval] "
---
>           "usage: syslogd [-dnus] [-f config_file] [-m mark_interval] "

Also a patch for the man page syslogd.8

45c45
< .Op Fl dnu
---
> .Op Fl dnus
81a82,86
> .It Fl s
> Select the
> .Dq secure
> mode, in which syslogd will never bind any UDP port.
> This is usefull when you don't need to receive logs from or send logs to remote systems.
122,124c127,133
< opens the above described socket whether or not it is
< running in secure mode.
< If
---
> opens the above described socket by default,
> but all incoming data on this socket is discarded,
> infact the socket is only required to send forwarded messages.
> .Pp
> In
> .Dq secure
> mode
126,127c135,136
< is running in secure mode, all incoming data on this socket is discarded.
< The socket is required for sending forwarded messages.
---
> doesn't open any socket and can't log to a remote host or receive logs.
> This is the best choice if you want to log only locally.

Finally /etc/rc.conf should be modified to start syslogd with args "-s".

So we'll have 3 way to use syslogd:
"syslogd -u" - accept remote logs
"syslogd -s" - log to local
"syslogd" - log to remote

RFC#7 - ports fetching

Request to define HTTP as preferred way to fetch distfiles.

Today every port mantainer choose a way to fetch distfiles among what is possible. Most times this choice is FTP even if HTTP is available.
Every FTP download occupy 2 sockets of the server and the client:

Active FTP
Client A > 1024 and B > 1024
Server C = 21 and D = 20

Passive FTP
Client A > 1024 and B = A+1
Server C = 21 and D > 1024

HTTP is stateless, FTP no.
But we never use this feature of the FTP protocol, infact if you try to fetch all kde distfiles you'll see a new connection to the server port 21 for every file. This is overhead...
HTTP fetch is faster to setup.
HTTP needs only one shared socket on the server.

I'm asking port coordinators to publically define a preferred order of fetching methods.
This is what I'll suggest:
1) HTTP
2) FTP

Downloading distfiles from one single mirror is really faster using HTTP than FTP because you don't loose time setting up a FTP control connection for each file. Try to believe...

RFC#8 - bzip2

Request to import bzip2 in the official src tree.

Reading /policy.html and looking at the src tree layout is clear that GPLed software is used only if there aren't alternative ways.
Looking at bzip2 I found out that this software seems to have a full compatible license and it gives better compression than gzip.
It is already used by some ports to decompress distfiles and could give a lot of advantages (RFC#9).

Look at how many Mbytes you could save downloading 3.3 snapshots:

base33 (tgz) 30903567 (bz2) 24120264
comp33 (tgz) 16590617 (bz2) 13837916
etc33 (tgz) 1500604 (bz2) 1232789
man33 (tgz) 6128578 (bz2) 4685742
misc33 (tgz) 1748521 (bz2) 1712209

In this case a patch to pax/tar should be developed, but a pipe can work in the meantime.
Obviously also packages could be built using bzip2 saving again a lot of bandwidth and storage space.

However, all this ways of using bzip2 are only examples, at the moment I'm only saying that bzip2 seems to have a better license and performance than gzip, so I'm asking to include it in the default src tree.

RFC#9 - distfiles

Request to define bzip2 as preferred distfiles format.

Today every port mantainer choose a format among what is possible. Most times this choice is gzip even if bzip2 is available.

Bzip2 could let OpenBSD mirrors save a lot of Mbytes of disk storage and bandwidth.
Also fetching users will need less time. Time is precious for anyone...

I'm asking port coordinators to publically define a preferred order of distfiles formats.
This is the order I'll suggest:
1) bzip2
2) gzip
3) zip
4) ...

Some interesting examples:
PHP 4.3.1 (tar.bz2) 3,596Kb (tar.gz) 4,395Kb
GTK+ 2.2.1 (tar.bz2) 6.2MB (tar.gz) 8.9MB
OpenOffice 1.0.2 (bzip2) 154MB (gzip) 172MB

RFC#10 - static ttl

Request to add a sysctl to avoid TTL-- when forwarding packets.

At the moment a bridge must be set-up to keep the TTL untouched.
However a bridge add complexity and sometimes add too many unwanted features.

It could be possible to add a new meaning to net.inet.ip.forwarding

net.inet.ip.forwarding = 0 #disabled
net.inet.ip.forwarding = 1 #forwarding
net.inet.ip.forwarding = 2 #forwarding same TTL

or adding the brand new

net.inet.ip.staticttl = 0 #default TTL--
net.inet.ip.staticttl = 1 #static TTL

RFC#11 - return-icmp-as-dest

Request to add support for return-icmp-as-dest in PF.

Using TCP "return-rst" PF spoofs RST source address.
Instead using "return-icmp(port-unr)" for UDP ports, PF sends ICMP from its own IP.

I think return-icmp-as-dest should be added and used by default for UDP response.

RFC#12 - PF version

Request to introduce a public revision number to PF and pfctl.

Looking at CVSWeb I collected a quick stat about how many things change for the single file /usr/src/sys/net/pf.c

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c?only_with_tag=OPENBSD_3_3

3.0     6 commits	1 year
3.1     2 commits	1 year
3.2     1 commit	1 year
3.3     5 commits	6 months

If you try to sum all the changes to pf* files and pfctl it becomes easy to understand that PF can behave in _different_ ways even if you are using the same OpenBSD release. It depends on the date of the last sync with -stable branch.

Given the fact that not everyone follows -stable branch, I'll suggest to introduce a public revision number for PF, available via sysctl or other ways. The same request is for pfctl, that could be easily deployed with a -V arg.

By the way, this method should be used with every tool written and available only on OpenBSD like authpf, pflogd and so on. In fact isn't true that every imported software or available as ports has its own version number ?

RFC#13 - openssh protocol

Request to modify openssh default protocol version.

By default ssh and sshd can automatically switch to the obsolete SSH protocol v1 if one of the two doesn't support v2.
I'm asking to remove this automatic process, letting the user manually choose obsolete v1 using "ssh -1" command.
The small change needed can be applied in OpenBSD tree, letting OpenSSH default configuration files unchanged.

/usr/src/usr.bin/ssh/sshd_config

-       #Protocol 2,1
+       Protocol 2


/usr/src/usr.bin/ssh/ssh_config

-       #   Protocol 2,1
+       Protocol 2

RFC#14 - openssh keysize

Request to increment openssh default keysize.

Obsolete SSH protocol v1 key is only 768 bits long and it's regenerated every hour. Even if I suggest not to use v1, I think it can be better to increase the keysize modifying OpenBSD tree, letting OpenSSH default configuration files unchanged.

/usr/src/usr.bin/ssh/sshd_config

-       #ServerKeyBits 768
+       ServerKeyBits 1024

Given the fact that most people follow a method of jumping across release, instead of updating every six months, SSH v2 server keys can stay the same for more than one year. Even if it's not already known a method to decrypt a public key, I'm asking to double the difficulty to do it.

/usr/src/etc/rc

-       if /usr/bin/ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''; then
+       if /usr/bin/ssh-keygen -q -b 2048 -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''; then

-       if /usr/bin/ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''; then
+       if /usr/bin/ssh-keygen -q -b 2048 -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''; then

RFC#15 - sendmail configuration

Request to disable by default VRFY and EXPN commands.

When raptor (@antifork.org) told me I couldn't believe it. OpenBSD, secure-by-default, doesn't take this well known restriction measure. If it's true that by default sendmail bind on localhost, it's also true that most people _trust_ OpenBSD and so they don't check what's going on...
Well, if you think this is a well known fact take a look:

$ nslookup -type=MX openbsd.org
openbsd.org     preference = 10, mail exchanger = cvs.openbsd.org
openbsd.org     preference = 7, mail exchanger = openbsd.cs.colorado.edu

We found that openbsd.cs.colorado.edu is the primary OpenBSD mail server.
Would it support VRFY and EXPN ?

$ telnet openbsd.cs.colorado.edu 25
Trying 128.138.207.242...
Connected to openbsd.cs.colorado.edu.
Escape character is '^]'.
220 openbsd.org ESMTP Sendmail 8.12.10/8.12.10/millert ready willing and able at Mon, 10 Nov 2003 04:10:07 -0700 (MST)
VRFY root
250 2.1.5 <root@openbsd.cs.colorado.edu>
VRFY www
250 2.1.5 <www@openbsd.cs.colorado.edu>
VRFY hackers
250 2.1.5 <hackers@openbsd.cs.colorado.edu>
VRFY gobbles
550 5.1.1 gobbles... User unknown
VRFY _syslogd
250 2.1.5 Syslog Daemon <_syslogd@openbsd.cs.colorado.edu>
VRFY _x11
250 2.1.5 X server <_x11@openbsd.cs.colorado.edu>
EXPN hackers
250 2.1.5 <"|/var/mj2/bin/mj_enqueue -r -d openbsd.org -l hackers -P20 -p20">
EXPN misc
250 2.1.5 <"|/var/mj2/sbin/runprocmail misc">
EXPN tech
250 2.1.5 <"|/var/mj2/sbin/runprocmail tech">
EXPN ports
250 2.1.5 <"|/var/mj2/sbin/runprocmail ports">
EXPN bugs
250 2.1.5 <"|/var/mj2/sbin/runprocmail bugs">
expn microsoft-lovers
550 5.1.1 microsoft-lovers... User unknown
quit
221 2.0.0 openbsd.cs.colorado.edu closing connection
Connection closed by foreign host.

On this page (http://www.burningvoid.com/iaq/expn-vrfy.html) you can find detailed explanation about VRFY/EXPN abuse and how to prevent it.

RFC#16 - /etc/rc

Request to prune /tmp during shutdown procedure.

By default /tmp directory is cleared by /etc/rc at boot. This method doesn't avoid sensistive data to remain accessible to a halted box (example: PHP session files). Even if you need to be physically near the box, the problem is that you could be able to get data not available in other way on that box and in fact they are stored on a tmp directory...

This simple patch permits to prune /tmp before /etc/.rc.shutdown is processed. However I'll suggest to use a tool to overwrite real disk data on /tmp before shutdown procedure.

--- src/etc/rc  Tue Jul 29 19:52:17 2003
+++ rc.tmp      Thu Nov 13 13:23:49 2003
@@ -24,2 +24,10 @@

+# prune quickly with one rm, then use find to clean up /tmp/[lq]*
+# (not needed with mfs /tmp, but doesn't hurt there...)
+prune_tmp() {
+(cd /tmp && rm -rf [a-km-pr-zA-Z]* &&
+    find . ! -name . ! -name lost+found ! -name quota.user \
+       ! -name quota.group -execdir rm -rf -- {} \; -type d -prune)
+}
+
 # End subroutines
@@ -40,2 +48,3 @@
        chmod 600 /var/db/host.random >/dev/null 2>&1
+       prune_tmp
        if [ $? -eq 0 -a -f /etc/rc.shutdown ]; then
@@ -341,7 +350,3 @@

-# prune quickly with one rm, then use find to clean up /tmp/[lq]*
-# (not needed with mfs /tmp, but doesn't hurt there...)
-(cd /tmp && rm -rf [a-km-pr-zA-Z]* &&
-    find . ! -name . ! -name lost+found ! -name quota.user \
-       ! -name quota.group -execdir rm -rf -- {} \; -type d -prune)
+prune_tmp

RFC#17 - chmod 750 /home/users

Request to create users home directory with 750 modes.

Privacy by default.

There's no more to say, beyond that. I think that a simple user should not be able to browse other users home directory even if important files are kept unaccessible. Also this prevent unaware users to undisclose important files because of wrong permissions.

Privacy by default !

Ed White - Ed3f