forked from openbsd/www
-
Notifications
You must be signed in to change notification settings - Fork 0
/
33.html
426 lines (359 loc) · 15 KB
/
33.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
<!doctype html>
<html lang=en id=release>
<meta charset=utf-8>
<title>OpenBSD 3.3</title>
<meta name="description" content="OpenBSD 3.3">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/33.html">
<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
3.3
</h2>
<table>
<tr>
<td>
<a href="images/Barbarian.gif">
<img width="255" height="343" src="images/Barbarian.gif" alt="Barbarian"></a>
<td>
Released May 1, 2003<br>
Copyright 1997-2003, Theo de Raadt.<br>
<cite class=isbn>ISBN 0-9731791-1-2</cite>
<br>
3.3 Song: <a href="lyrics.html#33">"Puff the Barbarian"</a>
<br>
<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
a list of mirror machines.
<li>Go to the <code class=reldir>pub/OpenBSD/3.3/</code> directory on
one of the mirror sites.
<li>Have a look at <a href="errata33.html">The 3.3 Errata page</a> for a list
of bugs and workarounds.
<li>See a <a href="plus33.html">detailed log of changes</a> between the
3.2 and 3.3 releases.
</ul>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via <code>ports.tar.gz</code>.
</table>
<hr>
<section id=new>
<h3>What's New</h3>
<p>
This is a partial list of new features and systems included in OpenBSD 3.3.
For a comprehensive list, see the <a href="plus33.html">changelog</a> leading
to 3.3.
<p>
<ul>
<li>Integration of the
<a href="http://www.research.ibm.com/trl/projects/security/ssp/">ProPolice</a>
stack protection technology, by Hiroaki Etoh, into the system
compiler. This protection is enabled by default. With this change,
function prologues are modified to rearrange the stack: a random
canary is placed before the return address, and buffer variables are
moved closer to the canary so that regular variables are below, and
harder to smash. The function epilogue then checks if the canary is
still intact. If it is not, the process is terminated. This change
makes it very hard for an attacker to modify the return address used
when returning from a function.
<p>
<li>W^X (pronounced: "W xor X") on architectures capable of
pure execute-bit support in the MMU (sparc, sparc64, alpha,
hppa). This is a fine-grained memory permissions layout, ensuring that
memory which can be written to by application programs can not be
executable at the same time and vice versa. This raises the bar on
potential buffer overflows and other attacks: as a result, an attacker
is unable to write code anywhere in memory where it can be executed.
(NOTE: i386 and powerpc do not support W^X in 3.3; however, 3.3-current
already supports it on i386, and both these processors are expected to
support this change in 3.4).
<p>
<li>Still more reduction in setuid and setgid binaries, and more chroot
use throughout the system. While some programs are still setuid or
setgid, almost all of them grab a resource and then quickly revoke
privilege.
<p>
<li>The X window server and xconsole now use privilege separation,
for better security. Also, xterm has been modified to do privilege
revocation. xdm runs as a special user and group, to further constrain
what might go wrong.
<p>
<li>As usual, improvements to the documentation, notably the man pages and
the Web FAQ. An increasingly large part of the website is available in several
languages.
<p>
<li>More complete collection and better tested set of "ports".
setuid/setgid ports have been significantly reduced as well. Many of the
ones that remain setuid have been modified to revoke privileges as early
as possible.
<p>
<li>Over 2000 pre-built and tested packages.
<p>
<li>Significant improvements to the pthread library.
<p>
<li>An incredible amount of enhancements and stability improvements to
our packet filter, <a
href="https://man.openbsd.org/pf.4">pf</a>,
including:
<ul>
<li>Queue, a bandwidth management system (uses altq underneath)
<li>Anchors, allowing subrulesets which can be loaded and modified independently
<li>Tables, a very efficient way for large address lists in rules
<li>Address pools, redirect/NAT to multiple addresses and thus load balancing
<li>Configuration language has been made much more flexible
<li>TCP window scaling support
<li>Full CIDR support
<li>Early checksum verification return on invalid packets
<li>Performance boost: large rulesets load much faster now
<li><a href="https://man.openbsd.org/spamd">spamd</a>,
a spam deferral daemon, which SMTP connections can be redirected to.
This daemon handles connections based on black lists and white lists,
tar-pits the connections, and ensures that the spammer knows why their
mail has not been accepted.
</ul>
<p>
<li>Much improved <a href="sparc64.html">sparc64</a> support: support for
more models and several major bugs eradicated.
<p>
<li>The system includes the following major components from outside suppliers:
<ul>
<li>XFree86 4.2.1 (and i386 contains 3.3.X servers also, thus providing support for all chipsets)
<li>Gcc 2.95.3 (+ patches)
<li>Perl 5.8.0 (+ patches)
<li>Apache 1.3.27, mod_ssl 2.8.12, DSO support (+ patches)
<li>OpenSSL 0.9.7beta3 (+ patches)
<li>Groff 1.15
<li>Sendmail 8.12.9
<li>Bind 9.2.2 (+ patches)
<li>Lynx 2.8.2rel.1 with HTTPS support added (+ patches)
<li>Sudo 1.6.7
<li>Ncurses 5.2
<li>Latest KAME IPv6
<li>KTH Kerberos 1.1.1
<li>Heimdal 0.4e (+ patches)
<li>OpenSSH 3.6
</ul>
<p>
<li>Many improvements for security and reliability (look for the red
print in the <a href="plus33.html">complete changelog</a>).
<p>
<li> and much more.
</ul>
</section>
<hr>
<section id=install>
<h3>How to install</h3>
<p>
Following this are the instructions which you would have on a piece of
paper if you had purchased a CDROM set instead of doing an alternate
form of install. The instructions for doing an ftp (or other style
of) install are very similar; the CDROM instructions are left intact
so that you can see how much easier it would have been if you had
purchased a CDROM instead.
<p>
<hr>
Please refer to the following files on the three CDROMs or ftp mirror for
extensive details on how to install OpenBSD 3.3 on your machine:
<p>
<ul>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/i386/INSTALL.i386">
.../OpenBSD/3.3/i386/INSTALL.i386 (on CD1)</a>
<p>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/macppc/INSTALL.macppc">
.../OpenBSD/3.3/macppc/INSTALL.macppc (on CD2)</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/vax/INSTALL.vax">
.../OpenBSD/3.3/vax/INSTALL.vax (on CD2)</a>
<p>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/sparc/INSTALL.sparc">
.../OpenBSD/3.3/sparc/INSTALL.sparc (on CD3)</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/sparc64/INSTALL.sparc64">
.../OpenBSD/3.3/sparc64/INSTALL.sparc64 (on CD3)</a>
<p>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/alpha/INSTALL.alpha">
.../OpenBSD/3.3/alpha/INSTALL.alpha</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/hp300/INSTALL.hp300">
.../OpenBSD/3.3/hp300/INSTALL.hp300</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/hppa/INSTALL.hppa">
.../OpenBSD/3.3/hppa/INSTALL.hppa</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/mac68k/INSTALL.mac68k">
.../OpenBSD/3.3/mac68k/INSTALL.mac68k</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/mvme68k/INSTALL.mvme68k">
.../OpenBSD/3.3/mvme68k/INSTALL.mvme68k</a>
</ul>
</section>
<hr>
<section id=quickinstall>
<p>
Quick installer information for people familiar with OpenBSD, and the
use of the "disklabel -E" command. If you are at all confused when
installing OpenBSD, read the relevant INSTALL.* file as listed above!
<h3>OpenBSD/i386:</h3>
<p>
Play with your BIOS options to enable booting from a CD. The OpenBSD/i386
release is on CD1. If your BIOS does not support booting from CD, you will need
to create a boot floppy to install from. To create a boot floppy write
<i>CD1:3.3/i386/floppy33.fs</i> to a floppy and boot via the floppy drive.
<p>
Use <i>CD1:3.3/i386/floppyB33.fs</i> instead for greater scsi controller
support, or <i>CD1:3.3/i386/floppyC33.fs</i> for better laptop support.
<p>
If you are planning on dual booting OpenBSD with another OS, you will need to read the included INSTALL.i386 document.
<p>
To make a boot floppy under MS-DOS, use the "rawrite" utility located
at <i>CD:/3.3/tools/rawrite.exe</i>. To make the boot floppy under a Unix OS, use the <a href="https://man.openbsd.org/dd.1">dd(1)</a> utility. The following is an example usage of <a href="https://man.openbsd.org/dd.1">dd(1)</a>, where the device could be "floppy", "rfd0c", or "rfd0a".
<blockquote><pre>
# <kbd>dd if=<file> of=/dev/<device> bs=32k</kbd>
</pre></blockquote>
<p>
Make sure you use properly formatted perfect floppies with NO BAD BLOCKS or your install will most likely fail. For more information on creating a boot floppy and installing OpenBSD/i386 please refer to <a href="faq/faq4.html#MkFlop">this page</a>.
<h3>OpenBSD/macppc:</h3>
<p>
Put the CD2 in your CDROM drive and poweron your machine while holding down the
<i>C</i> key until the display turns on and shows <i>OpenBSD/macppc boot</i>.
<p>
Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
/3.3/macppc/bsd.rd</i>
<h3>OpenBSD/vax:</h3>
<p>
Boot over the network via mopbooting as described in INSTALL.vax.
<h3>OpenBSD/sparc:</h3>
<p>
The 3.3 release of OpenBSD/sparc is located on CD3. To boot off of this CD you can use one of the two commands listed below, depending on the version of your ROM.
<blockquote><pre>
> <kbd>boot cdrom 3.3/sparc/bsd.rd</kbd>
or
> <kbd>b sd(0,6,0)3.3/sparc/bsd.rd</kbd>
</pre></blockquote>
<p>
If your sparc does not have a CD drive, you can alternatively boot from floppy.
To do so you need to write "CD3:3.3/sparc/floppy33.fs" to a floppy. For more information see <a href="faq/faq4.html#MkFlop">this page</a>. To boot from the floppy use one of the two commands listed below, depending on the version of your ROM.
<blockquote><pre>
> <kbd>boot floppy</kbd>
or
> <kbd>boot fd()</kbd>
</pre></blockquote>
<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.
<p>
If your sparc doesn't have a floppy drive nor a CD drive, you can either
setup a bootable tape, or install via network, as told in the
INSTALL.sparc file.
<h3>OpenBSD/sparc64:</h3>
<p>
Put the CD3 in your CDROM drive and type <i>boot cdrom</i>.
<p>
If this doesn't work, or if you don't have a CDROM drive, you can write
<i>CD3:3.3/sparc64/floppy33.fs</i> to a floppy and boot it with <i>boot
floppy</i>.<br>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.
<p>
You can also write <i>CD3:3.3/sparc64/miniroot33.fs</i> to the swap partition on
the disk and boot with <i>boot disk:b</i>.
<p>
If nothing works, you can boot over the network as described in INSTALL.sparc64
<h3>OpenBSD/alpha:</h3>
<p>
Write <i>3.3/alpha/floppy33.fs</i> or
<i>3.3/alpha/floppyB33.fs</i> (depending on your machine) to a diskette and
enter <i>boot dva0</i>. Refer to INSTALL.alpha for more details.
<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.
<h3>OpenBSD/hp300:</h3>
<p>
Boot over the network by following the instructions in INSTALL.hp300.
<h3>OpenBSD/hppa:</h3>
<p>
Boot over the network by following the instructions in INSTALL.hppa or the
<a href="hppa.html#netboot">hppa platform page</a>.
<h3>OpenBSD/mac68k:</h3>
<p>
Boot MacOS as normal and partition your disk with the appropriate A/UX
configurations. Then, extract the Macside utilities from
<i>3.3/mac68k/utils</i> onto your hard disk. Run Mkfs to create your
filesystems on the A/UX partitions you just made. Then, use the
"BSD/Mac68k Installer" to copy all the sets in <i>3.3/mac68k/</i> onto your
partitions. Finally, you will be ready to configure the "BSD/Mac68k
Booter" with the location of your kernel and boot the system.
<h3>OpenBSD/mvme68k:</h3>
<p>
You can create a bootable installation tape or boot over the network.<br>
The network boot requires a MVME68K BUG version that supports the <i>NIOT</i>
and <i>NBO</i> debugger commands. Follow the instructions in INSTALL.mvme68k
for more details.
</section>
<hr>
<section id=sourcecode>
<h3>Notes about the source code</h3>
<p>
<code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
This file contains everything you need except for the kernel sources, which are
in a separate archive. To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/src.tar.gz</kbd>
</pre></blockquote>
<p>
<code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src/sys</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
</pre></blockquote>
<p>
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described <a href="anoncvs.html">here</a>.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
</section>
<hr>
<section id=ports>
<h3>Ports Tree</h3>
<p>
A ports tree archive is also provided. To extract:
<blockquote><pre>
# <kbd>cd /usr</kbd>
# <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
</pre></blockquote>
<p>
The <i>ports/</i> subdirectory is a checkout of the OpenBSD ports tree. Go
read the <a href="faq/faq15.html">ports</a> page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
<p>
Certainly, the OpenBSD ports system is not complete. It is doubtful it
will ever be. However, it is growing very fast and getting more stable.
Almost all ports provided with this release should build without problems
on most architectures (over 2000 packages build on i386, for instance).
<p>
The <i>ports/</i> directory represents a CVS (see the manpage for
<a href="https://man.openbsd.org/cvs.1">cvs(1)</a> if
you aren't familiar with CVS) checkout of our ports. As with our complete
source tree, our ports tree is available via anoncvs. So, in
order to keep current with it, you must make the <i>ports/</i> tree
available on a read-write medium and update the tree with a command
like:
<blockquote><pre>
# <kbd>cd [portsdir]/; cvs -d [email protected]:/cvs update -Pd -rOPENBSD_3_3</kbd>
</pre></blockquote>
<p>
[Of course, you must replace the local directory and server name here
with the location of your ports collection and a nearby anoncvs
server.]
<p>
Note that most ports are available as packages on our mirrors. Updated
packages for the 3.3 release will be made available if problems arise.
<p>
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
<a href="mail.html">[email protected]</a> is a good place to know.
</section>