This chapter is from the book
This chapter is from the book
This chapter is from the book
2.5 The Feel of OpenBSD
OpenBSD feels different than many other UNIX systems. Its filesystem layout is more controlled and is designed primarily for security and functionalty, rather than to satisfy the needs of the marketing department.
Furthermore, OpenBSD attempts to adhere to its BSD 4.4 roots and do things “the BSD way” when possible. Many commercial and even some other free operating systems have adopted many System V features and characteristics.
2.5.1 Filesystem Layout
One of the first things that most new users will notice about OpenBSD is how the layout feels different than that of most other UNIX systems. One of the goals of OpenBSD is to make the system elegant. The result is that files are where you expect them to be. All system binaries are stored in /sbin folders, while the userland binaries are in /bin. As the software was developed mostly from the ground up, OpenBSD doesn’t have any extra backward compatibility, like the support for /opt or /usr/ccs/bin seen on some other UNIX systems. This is possible because the number of people who are able to make changes to the system is kept to a minimum.
There is similar control for the ports tree—the main way new applications are installed. There is good control to prevent ports from installing files outside of /usr/local. All of these constraints help the operating system have a clean feel throughout, which many users see as a great selling point for the system.
2.5.2 Security
OpenBSD is different from most other systems in another way: It is built to be secure by default. On a new OpenBSD installation, there are very few daemons running and few network services started. Many other systems don’t behave in this manner. Most systems turn on almost every service possible to save the user from having to do the setup. In contrast, on an OpenBSD system, the user needs to go through the configuration steps to enable a service. This “secure by default” stance has prevented security problems on many occasions. Although a threat may occur on many other systems, since it wasn’t configured or enabled on OpenBSD systems, the security of the system remains intact.
This stance also applies to all services that are enabled by default; the least necessary access is given and the most secure setup is configured. This sometimes does have the side effect of closing off some expected functionality. As an example, by default the OpenSSH daemon is configured with X forwarding disabled. Most users would prefer to have this service turned on, but it’s an unnecessary feature and it might turn out to be a security threat.
This isn’t to say that OpenBSD is a minimalist system. The basic installation contains an SSL-enabled Apache Web server, an FTP server, an NIS client and server, an SSH server (enabled by default), a routing server, and much, much more. Most of these services are controlled via central configuration files (discussed in later chapters). The system also supports a number of third-party packages, such as the Network Time Protocol (NTP), by enabling it in the start-up of the system when it is installed.
2.5.3 User Friendliness
As can be seen from the discussion of its security in Section 2.4.2, OpenBSD seems to be designed differently than a lot of other UNIX systems. Most systems are designed to be easy to use and friendly to the user, to the point of sacrificing security. The development of OpenBSD is driven solely by the ideals of its team of developers. Although many people are upset by some of the opinions of the leading group, this strategy has the side effect of keeping the system clean.
Another place where this attitude can be seen is in the support (and lack of support) for some hardware. NetBSD aims to support as many hardware architectures as possible and has support for almost any piece of hardware that can be bought. Solaris is designed to run well on the SPARC and i386 processor lines. The hardware that is supported by OpenBSD is directly related to the task most OpenBSD systems perform: networking services. As a result, a good number of strong and stable network cards are supported, but other, more error-prone cards (e.g., old NE2000 cards) are not as well supported. Any hardware that OpenBSD does support, however, typically works well.