The Laporte has landed!

This week on BSDNow, we have some big breaking news about another major switcher to FreeBSD, plus early information about the pending

This episode was brought to you by

/>

Headlines

Leo Laporte tries FreeBSD

• Leo Laporte, formerly of TechTV, and now of TWiT.tv, is switching to FreeBSD
• “The latest debacle over the "forced" upgrade to Windows 10 and Apple's increasingly locked-in ecosystem has got me thinking. Do I really need to use a proprietary operating system to get work done? And while I'm at it, do I need to use commercial cloud services to store my data?”
• A sometimes Linux user since the mid 90s, Leo talks about his motivations:
• “But as time went by, even Ubuntu began to seem too commercial to me”
• “So now for the grand experiment. Is it possible, I wonder, to do everything I need to do on an even more venerable, more robust system: a true UNIX OS, FreeBSD? Here are my requirements”
• Browsing
• Email with PGP signing and encryption
• Coding - I'm a hobbyist programmer requiring support for lisp/scheme/racket, rust, and python (and maybe forth and clojure and meteor and whatever else is cool and new)
• Writing
• A password vault. I currently use Lastpass because it syncs with mobile but eventually I'll need to find a FOSS replacement for that, too
• Photo editing - this is the toughest to replace. I love Photoshop and Lightroom. Can I get by with, say, GIMP and Darktable?
• I do all of those things on my PCBSD machine all the time
• “I love Linux and will continue to use it on my laptops, but for my main workhorse desktop I think FreeBSD will be a better choice. I also look forward to learning and administering a true UNIX system.”
• He got a nice SuperMicro based workstation, with an Intel Xeon E3-1275v5 and an NVIDIA GeForce GTX 960 GPU
• I have a server with one of those Skylake E3s, it is very nice
• “450Mbps Wireless N Dual Band PCI-e Adapter w/ 3x 2dBi Antennas (Yes, sad to say, unless I rewire my house I'll have to use Wi-Fi with this beast. I'll probably rewire my house.)”
• He plans to have a 4x 1TB ZFS pool, plus a second pool backed by a 512 GB NVMe m.2 for the OS
• “And I'll continue to chronicle my journey into the land of FOSS here when The Beast arrives. But in the meantime, please excuse me, I've got some reading to do.”
• Leo went so far as to slap a “Power By FreeBSD” sticker on the back of his new Tesla ***

OpenBSD 6.0 to be released on Sept 1st, 2016

• OpenBSD 6.0 Tenative Released Notes
• OpenBSD 6.0 is just around the corner, currently slated for Sept 1st and brings with it a whole slew of exciting new features
• First up, and let’s get this right out of the way.. VAX support has been dropped!! Oh no!
• However to make up for this devastating loss, armv7 has been added to this release.
• The tentative release notes are very complete and marks 6.0 as quite an exciting release
• OpenBSD 6.0 Pre-orders up

OpenBSD 6.0 tightens security by losing Linux compatibility

• In related news, infoworld picked up on the pending removal of Linux compat from OpenBSD 6.0.
• Touted as a security feature, you will soon be unable to run legacy linux binaries on OpenBSD. This has both positives and negatives depending upon your use case. Ironically we’re excitedly awaiting improved Linux Compat support in FreeBSD, to allow running some various closed-source applications. (Netflix DRM, Steam, Skype to name a few) ***

EuroBSDCon 2016 Schedule released

• EuroBSDCon 2016 Tutorial Schedule released
• EuroBSDCon has announced the list of talks and tutorials for September 22nd-25th’s conference!
• George Neville Neil (Who we’ve interviewed in the past) is giving the keynote about “The Coming Decades of BSD” ***

News Roundup

Blast from the past

• No interview again this week, we’re working on getting some people lined up.
• The Leo Laporte story brought these old gem from TechTV into my youtube playlist:
• Matt Olander and Murrey Stokey explain FreeBSD on TechTV
• Matt Olander and Brooks Davis explain building a cluster with FreeBSD on TechTV
• FreeBSD vs Linux Part 1
• FreeBSD vs Linux Part 2 ***

Running FreeBSD on the LibreM

• Eric McCorkle (Who has worked on the EFI loader for a while now) has written an update on his efforts to get FreeBSD working properly on the LibreM 13 laptop.

• Since April the work seems to be progressing nicely

  • Matt Macy’s i915 graphics patch works well on the Librem 13, and I personally made sure that the suspend/resume support works. The patch is very stable on the Librem, and I’ve only had one kernel panic the entire time testing it.
  • The HDMI output Just Works™ with the i915 driver. Even better, it works for both X11 and console modes.
  • Full support for the Atheros 9462 card has been merged in. I’ve had some occasional issues, but it works for the most part.
  • The vesa weirdness is obviated by i915 support, but it was resolved by using the scfb driver.

• Some of the outstanding issues still being worked on are support for Synaptics on this particular touchpad, as well as hotkey support for the keyboard, and brightness controls.

• In addition Eric is still working on the EFI + Geli support, with the eventual goal of getting EFI secure-boot working out of box as well.

  ---

More OpenBSD syscall fuzzing

• NCC Group’s Project Triforce continues its work of fuzzing OpenBSD
• This time they have found a flaw that allows any user to panic the kernel
• Attempting to read from the tmpfs_vfsops sysctl tree will panic the system: “attempt to execute user address 0x0 in supervisor mode”
• This is actually a “good” thing…
• “Impact: Any user can panic the kernel by using the sysctl call. If a user can manage to map a page at address zero, they may be able to gain kernel code execution and escalate privileges”
• OpenBSD’s default configuration prevents mapping a page at address zero, so the code execution is prevented
• So while a panic is a bad outcome, it is a lot better than it could have been ***

Root privilege escalation on NetBSD

• This post described a root privilege escalation in NetBSD
• mail.local is a utility included in the base system for delivering mail to other users on the same system, rather than invoking a mail client and going through the mail server.
• The mail.local utility contains a ‘time of check / time of use’ vulnerability. This means that it checks if a file or permission is valid, and then later accesses that file. If an attacker can change that file between the time when it is checked, and the time when it is used, they may be able to exploit the system by evading the check
• This is exactly what happens in this case
• mail.local appends a message to the indicated user’s mailbox
• It first checks if the target user already has an existing mailbox file. If the file exists, but is a link, mail.local exits with an error (to prevent exploits)
• If the file does not exist, it is created
• The message is then appended to the file
• If the file needed to be created, it is chown’d to the owner of the mailbox
• This is where the problem lies, if mail.local checks and does not find the mailbox, but an attacker then creates a link from the target mailbox to some other file
• mail.local then appends to that file instead, thinking it is creating the new mailbox
• Then, mail.local chown’s the target file to the user the attacker was trying to send mail to
• The article explains how this could be used to replace /etc/master.passwd etc, but opts for an easier proof of concept, replacing /usr/bin/atrun, which is run as root every 5 minutes from crontab with a script that will copy the shell to /tmp and mark it setuid
• The attacker can then run that shell out of /tmp, and be root
• NetBSD fixed the vulnerability by changing the code flow, separating the cases for opening an existing file from creating a new file.
• In the case where an existing file is opened, the code then verifies that the file that was opened has the same inode number and is on the same device, as the file that was checked earlier, to ensure it was not a link ***

FreeBSD Heap vulnerability in bspatch

• An important vuln has been found and fixed in FreeBSD this past week, specifically relating to the ‘bspatch’ utility.
• “Upstream's bspatch.c implementation doesn't check for negative values on the number of bytes to read from the "diff" and "extra" streams, allowing an attacker controlling the patch file to write at arbitrary locations in the heap.”
• This could result in a crash, or running arbitrary code as the user running bspatch. (Often root)
• “bspatch's main loop reads three numbers from the "control" stream in the patch: X, Y and Z. The first two are the number of bytes to read from "diff" and "extra" (and thus only non-negative), while the third one could be positive or negative and moves the oldpos pointer on the source image. These 3 values are 64bits signed ints (encoded somehow on the file) that are later passed the function that reads from the streams, but those values are not verified to be non-negative.”
• “Chrome[OS] has four different implementations of this program, all derived from the same original code by Colin Percival.”
• Chromium Issue Tracker
• Patch your systems now! ***

Beastie Bits:

• If you're a BUG member or Organizer, please contact BSD Now

• TedU writes about some interesting localizations to gcc in openbsd, and why they are there

• List of Products based on FreeBSD -- Help complete the list

• Virtualbox v5 hits the FreeBSD Ports tree

• Skull Canyon NUC booting FreeBSD 11.0-BETA2

• 2016 BSDCan Trip Report : Trent Thompson

• August London BSD Meetup

  ---

Feedback/Questions

• Michael Open-Source Alts
• Herminio - AP Troubles
• Jake - Plasma
• Morgan - Clean DO Droplets
• Chris - Auditd ***