cat

Fear and Loathing in OpenBSD, or qorg’s experiences with OpenBSD

The other day I woke up and I thought “I’m going to migrate my server to OpenBSD for absolutely no reason”. And so I did. The operating system have been a pain and a pleasure simultaneously, and in this page I intend to give my experiences with it.

I will be updating this page as I have more experiences with OpenBSD. So add this page to your booksmarks!

Last update. 2022-06-09

If you enjoy this article, please consider donating: https://liberapay.com/qorg11. For questions or comments on this article feel free to reach me out at teru-sama [at] riseup [dot] net

Installation

The installation process was pretty straightforward, it was just enter, enter, enter, altough I had to connect an ethernet cable for it to download some necessary firmware (so I could use the network card) and thus, the wireless connection.

Setting up services

httpd(8)

The website you’re in is the website I care the most, kill-9 can wait because that’s only a website in which i complain about things. Complaining about everything is not good because in this life, well, in Ozzy Osbourne words, “Learn how to love and forget how to hate”. So I’d rather focus on ebin.city and qorg11.net for the time.

OpenBSD ships with the httpd web server. A really simple and very secure http server. The main config file is /etc/httpd.conf which has a very simple, human readable syntax.

One of the features of this webserver is that chroots to a directory. Meaning that, to the web server, anything before the given directory (/var/www by default), does not exist. So if a vulnerability is found, the attacker can’t do much things, as the attacker can’t go beyond /var/www.

slowcgi(8)

OpenBSD comes out-of-the-box with a FastCGI implementation, which is very simple to use. you only have to add fastcgi at the desired site in httpd.conf . The following configuration file is enough to execute CGI scripts.

server "qorg11.net" {
       listen on * port 80
       root "sites/qorg11.net"
       location "/*.cgi" {
                fastcgi
                root "sites/qorg11.net"
       }
}

But not so fast! Remember that httpd runs in a chroot? Well, your CGI apps won’t work by default, because the chroot lacks the binaries that are necessary to execute the program. So if your CGI appliaction is a perl script, you’ll have to do something like cp /usr/bin/perl /var/www/bin. If your Perl script uses third-party modules, you’ll have to copy them to anything that is in @INC, so /usr/var/www/usr/lib/perl5 or something like that. Also your chroot will lack all the core utils. I just installed plan9port and copied the files to /var/www/bin, which is more than enough.

As mentioned before. I haven’t been able to setup werc in httpd. Not sure why. I might try to reinstall it some other day. But I guess I’d have to use another server to do that.

As of 2022-06-02 I got werc to werk under httpd. The config file is a bit weird, but it worked. Altough I had to install an older werc version because the most recent one had some issues. This is the config that worked. Thanks to solene in IRC for the pattern!

server "kill-9.xyz" {
        alias "www.kill-9.xyz"
        listen on 127.0.0.1 port 1340

        listen on * tls port 443

        tls {
                certificate "/etc/ssl/kill9cert.pem"
                key "/etc/ssl/kill9key.pem"
        }

        # If there's a dot in the URL (i.e. a file extension, don't run it as
        # a CGI script.)

        location match "%s*%.%s*" {
                root "/werc/sites/kill-9.xyz"
                no fastcgi
        }

        location match "/" {
                fastcgi param SCRIPT_NAME "/werc/bin/werc.rc" 
                fastcgi param SCRIPT_FILENAME "/werc/bin/werc.rc"
                fastcgi param DOCUMENT_ROOT "/werc/sites/kill-9.xyz"
        }
        root "/werc/sites/kill-9.xyz/"


}

And then I tried to install cgit. When clonning from httpd I got an error I’ve never got before. Something like “Recieved HTTP/0.9 when not allowed”. I don’t know what the hell httpd(8) meant by that. But it was fixed by nuking the repos and pushing them again from scratch. I guess it had something to do with file corruption. But you have to be crazy on acid to think that sending HTTP/0.9 is a good way to tell a file is corrupted.

Darknets

Not much difference from how you’d install Tor & I2P in a Linux machine. Just install the tor and i2pd packages using pkg_add(1) and configure them normally. I had to copy the old private keys from my old machine to the new server. But that was not a big issue. I also migrated from the classic I2P, written in Java to i2pd. Not because I dislike the Java I2P, I think it is, along with Freenet, the only good software written in Java. I just wanted to keep the server as light as possible. And i2pd is way lighter than Java I2P.

Programming in OpenBSD

OpenBSD claims to be the most secure UNIX out there. This is probably true as it has much features, such as the WX thing. Which means memory can be written or executed, but not both. Basically an attacker could not execute a buffer overflow attack. Because he can only write. But not execute it. This thing was introdouced in 2003.

pledge(2)

OpenBSD takes security very seriously. This was the reason to be of the pledge() syscall. Pledge does, as defined by the manpage: “restrict system operations”. This is the prototype: pledge(const char *promises, const char *execpromises);

Check the manpage for the possible promises. This is a quick example:

#include <stdio.h>              /* printf() */
#include <unistd.h>             /* pledge() */
#include <sys/stat.h>           /* chmod() */

int
main(void)
{
     /* stdio promise allows basic input output operations. Check the
      * manpage for the syscalls this promise allows. */
     pledge("stdio", "");

     chmod("/etc/passwd",0644);

     return 0;
     /* This code will crash at runtime. the "stdio" promise doesn't
      * allow the chmod() syscall. */
}

Running that code will prodouce the following output:

Abort trap (core dumped) 

This is very useful, imagine that for example, some injects, somehow, malicious code in your cat(1) program. Sending data to a remote server. As cat didn’t pledge("inet",...), cat won’t be able to create a connection.

unveil(2)

I like this syscall more than pledge(2) according to the manpage: “unveil parts of a restricted filesystem view” This means that, except for the file specified in the unveil() calls, wont’ exist for the program. Consider the following code and its output:

#include <unistd.h>             /* read(), write(), unveil() */
#include <fcntl.h>              /* open() and flags */
#include <string.h>             /* strerror() */
#include <errno.h>              /* errno variable */
#include <stdio.h>              /* fprintf() */

int
main(void)
{
     /* This program can exclusively open /etc/httpd.conf for reading. */
     unveil("/etc/httpd.conf","r");
     /* This call disables further calls to unveil() */
     unveil(NULL, NULL); 
     /* What happens if we try to open another file? */
     int fd = open("/etc/passwd", O_RDONLY);

     if(fd == -1) {
          fprintf(stderr,"Error opening file: %s\n",
                  strerror(errno));
          _exit(-1);
     }

     char buf[8192];
     int bytes = read(fd, buf, 8192);
     write(STDOUT_FILENO, buf, bytes);

     return 0;
}

Output: Error opening file: No such file or directory

Yes, my /etc/passwd file exists.

perl(1)

Perl is the only scripting language that OpenBSD ships. And they have their reasons you can read here. This means that Perl comes with support for the OpenBSD weird features. This means that you can call pledge(2) and unveil(2) from your Perl scripts! Here’s an example of that:

#!/usr/bin/perl

# The syscalls come as modules, so you have to import them, the
# subroutines are exported by default.

use OpenBSD::Pledge;
use OpenBSD::Unveil;
# The manpage says that, without the "stdio" promise, perl is useless,
# so it is called by default no matter what you do.
pledge("inet rpath wpath unix"); # Some example promises...
unveil("/etc/httpd.conf","r");
unveil("/etc/pf.conf","r");
unveil(); # Restrict further calls to unveil()

strlcpy(3) and strlcat(3)

The well known strncpy(3) and strncat(3) functions copy no more than n characters, but these functions are not guaranteed to add the ’\0’ at the end of the string. strlcpy(3) and strlcat(3) guarante that the string ends with ’\0’

Makefiles

For some reasons, I wanted to rewrite the Makefile of one of my programs. And I discovered that BSD make is much better than GNU make. With GNU Make you have to declare pattern rules. And weird syntax. And you have to write similar makefiles for each program. In OpenBSD this is not necessary because makefile has some kind of “templates”. This is a perfectly working makefile, with clean and install targets

PROG = sakisafecli
SRCS += funcs.c sakisafecli.c
MAN  = sakisafecli.1 sakisafeclirc.5
LDADD  = -lssl -lz -lpthread -lnghttp2 -lcurl -lconfig -lcrypto -L/usr/local/lib
CPPFLAGS = -I/usr/local/include 
BINDIR=/usr/local/bin
.include <bsd.prog.mk>

This makefile also works in Linux, but using the bmake command instead of make. It also works in FreeBSD but you’d have to repleace CPPFLAGS with CFLAGS.

Libraries

OpenBSD, unlike every Linux distribution out there, thinks about everyone. And when you download a library through the package manager, it will install the shared objects (for dynamic linking), the header files (which means, no -dev/-devel packages) AND the .a files. For static linking!

Software and the power it holds

OpenBSD comes with a lot of software that should be enough for your normal tasks. But, it’s not like OpenBSD grabbed some code and put it in the code, no, they wrote their own versions of popular software. And “ported” them to OpenBSD, so the software that comes with the operating system uses the security features, they call pledge(). and stuff like that.

mg(1)

This is a Emacs clone. For the people who, for any reason, can’t (or don’t want) to run GNU Emacs. This clone is pretty complete, the only thing it lacks, regarding emacs, is emacs lisp support and syntax highlighting. But this is a good nano(1), ed(1) or vi(1) repleacement.

signify(1)

GNU Privacy Guard is kinda heavy, and we don’t have any other decent OpenPGP implementation. This is the reason of why the OpenBSD devs created signify(1), a tool to cryptographically sign and verify files and messages. And this is the way OpenBSD images are verified. It’s pretty simple to use:

# Generate pub and sec key. They have to have the same name. Only
# changing the file extension

$ signify -G -c "qorg's signify key" -p qorg.pub -s qorg.sec

# Sign a file/message

$ echo "Hello world!" > message.txt
$ signify -S -s qorg.sec -m message.txt

# Verify file/message

$ signify -V -p qorg.pub -m message.txt

# Further examples in the manpage.

tmux(1)

Tmux, the legendary terminal multiplexer, that is way better than screen, was initially developed for OpenBSD. I don’t think I have to talk a lot about tmux because everyone knows it. tmux in OpenBSD comes with all the security features too.

doas(1)

This is a repleacement for sudo that has been developed by OpenBSD. it has also emerged in the linux community. Altough it works best in OpenBSD. I have some issues getting doas to work in Debian, but not in Void Linux. doas is very simple to configure. No need to add yourself to a group or anything like that. You can simply add this to /etc/doas.conf

permit nopass keepenv qorg as groq
# Allow user qorg to execute commands as groq. Keeping all the
# environment variables.

# qorg can't execute commands as any user that is not groq.

permit nopass keepenv qrog

# qrog can execute commands as any user.

openrsync(1)

Sometimes you want to syncronize files between your computers and servers. And then you realize cp(1) is kinda bad for that and tar isslow. Then you discover rsync and that just works. But this wasn’t the case for the OpenBSD guys, they wanted a rsync implementation under the BSD license. So they wrote =openrsync=. This works just like rsync and, according to the manpage: “openrsync is compatible with rsync protocol version 27 as supported by the samba.org implementation of rsync”. Meaning that if you don’t have openrsync in other server, it will just worke, and vice versa. This is an example of usage of openrsync.

openrsync --rsync-path=openrsync -av Xanopticon remote_server:/var/www/files/Music

As I don’t have rsync installed in the remote server, but I have openrsync, I specify that the path of rsync is openrsync. This way it just works.

acme-client(1)

Today I recieved a mail telling me that the kill -9 certificate expired. “Fuck’s sake” — I inmediatly thought. “I have to renew it”. But I was not going to install certbot in this OpenBSD server. So I had to find a way. I remembered that OpenBSD ships with acme-client. A program that helps you to generate your certificates for TLS connections. And they can be signed with the Let’s Encrypt certificate authority. The config file is pretty simple and intuitive. You can copy and paste it from /etc/examples/acme-client.conf and only configure the revelant part that would be your domain. In my case I have it like this:

authority letsencrypt {
        api url "https://acme-v02.api.letsencrypt.org/directory"
        account key "/etc/acme/letsencrypt-privkey.pem"
}

domain qorg11.net {
        alternative names { "www.qorg11.net", "files.qorg11.net" }
        domain key "/etc/ssl/qorg11.key" ecdsa
        domain full chain certificate "/etc/ssl/qorg11.crt"
        sign with letsencrypt
}

I used to use wildcard certificates. That were valid to any qorg11.net subdomain. But I couldn’t make them work in acme-client. But as acme-client is less of a pain in the ass than certbot. I can certainly just modify the configuration file each time I create a new subdomain. And that doesn’t happen too often.

Documentation

OpenBSD takes documentation very seriously. So seriously, if a manpage is lacking in a sys util, it’s considered a bug. So everything that comes with your OpenBSD installation is very well documented. Config files have their own manpages section, the section 5. so you can learn how to write httpd config files by running man httpd.conf This is something more developers should do. There’s also the /etc/examples directory which contains examples of most config files that you’d want to setup. Those file are commented and everything. But /etc/examples always lacks the config file I want or doesn’t help at all.

Backups

I am a self-proclaimed good sysadmin. This means I should be able to do backups and restore them. Not gonna lie, before OpenBSD i haven’t had any backup. Though I have heard that you can do incremental backups with tar(1). I guess this could be useful. But OpenBSD comes with it’s features and things. These tools are dump(8) and restore(8). Those were a bit confusing to me until I learned how to use them properly. You can read the manpages for dump(8) and restore(8) which explains pretty well how to use the software. At least that’s what should have happened. Because it didn’t. For some reason OpenBSD insists in using tapes in 2022. So yeah, apparently the -a flag is mandatory these days. You can use this command to backup a directory, /etc in this case.

# 0 means it is a level 0 backup. Next backup should be level 1, then
# 2... Read the manpage for more details.
$ doas dump -0uaf backup_etc.dump /etc

This will take some time depending how big the directory is. /etc is usually not too big so this example will not take a lot of time.

After 1 hour of wondering why my backup wasn’t working, i discovered that restore(8) takes everything as relative paths. Meaning that it will restore to the directory you’re in, so if you do restore -xfbackup_etc.dump /etc/httpd.conf, it will restore it to $PWD/etc/httpd.conf, not to /etc/httpd.conf. So you should cd to / when restoring backups, something like this:

cd /
restore -xf /var/backups/backup_etc.dump /etc/

Network

First I tried to use the wifi card my computer came with. But for some reason it kept sayin wpi0: device timeout. Leaving my computer without connection. So I had to connect the Ethernet cable. And I thought that that would solve the connection problem. But today I woke up and my computer did not have internet connection. But it had LAN connection. Not sure what happened. And well, that’s the reason of why my site was down. I’ll try to fix it.

Firewall

OpenBSD comes with a firewall, called pf, which stands for Packet Filter. As every other software developed by OpenBSD, it uses its simple config file.

I used the firewall to deny ssh requests from every IP address except my local network (that is, 192.168.0.0/16) and from my static IPv6 address.

At first the rules were not working for the IPv6 address, because I don’t have IPv6 at home, I use a WireGuard interface for that for that, and pf didn’t know that. So I had to specify that those rules should also apply to the wireguard interface, like this:

pass in on {egress wg0} ...

And that just worked.

Yiou can also limit the connection of an user. For example, the following line will disable all the connection for the user ’groq’:

# Block outcoming connections to user qorg.
block return out proto {tcp udp} user qorg 
# Block incoming connection to user qorg. Not sure how useful this is.
block return in  proto {tcp udp} user qorg

And I’ve also added some IP addresses that have tried to exploit, ehem, WordPress vulnerabilities in my webserver. I added them to a file, /etc/spammers. And used a pf(8) feature to block all of them. And I also wanted that ssh would be disabled for everyone except for the machines in the Local Area Network. So only people in my network could ssh to my server. pf.conf has a very readable syntax, which makes this very easy:

# Good/Dreaded IP ranges
table <localnet> const { 192.168.0.0/16 }
table <spammers> const file "/etc/spammers"

# Block spammers requests to the server. Also requests to spammers.

block in on { egress wg0 } from <spammers> to any

# Allow SSH access from the LAN

block return in log proto tcp from any to port ssh pass in on egress
proto tcp from <localnet> to port 22
Unlimited Aku works VOL. II La saga del exilio