mirror of https://github.com/openbsd/www.git
427 lines
15 KiB
HTML
427 lines
15 KiB
HTML
<!doctype html>
|
|
<html lang=en id=release>
|
|
<meta charset=utf-8>
|
|
|
|
<title>OpenBSD 3.3</title>
|
|
<meta name="description" content="OpenBSD 3.3">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
<link rel="stylesheet" type="text/css" href="openbsd.css">
|
|
<link rel="canonical" href="https://www.openbsd.org/33.html">
|
|
|
|
<h2 id=OpenBSD>
|
|
<a href="index.html">
|
|
<i>Open</i><b>BSD</b></a>
|
|
3.3
|
|
</h2>
|
|
|
|
<table>
|
|
<tr>
|
|
<td>
|
|
<a href="images/Barbarian.gif">
|
|
<img width="255" height="343" src="images/Barbarian.gif" alt="Barbarian"></a>
|
|
|
|
<td>
|
|
Released May 1, 2003<br>
|
|
Copyright 1997-2003, Theo de Raadt.<br>
|
|
<cite class=isbn>ISBN 0-9731791-1-2</cite>
|
|
<br>
|
|
3.3 Song: <a href="lyrics.html#33">"Puff the Barbarian"</a>
|
|
<br>
|
|
<br>
|
|
<ul>
|
|
<li>See the information on <a href="ftp.html">the FTP page</a> for
|
|
a list of mirror machines.
|
|
<li>Go to the <code class=reldir>pub/OpenBSD/3.3/</code> directory on
|
|
one of the mirror sites.
|
|
<li>Have a look at <a href="errata33.html">The 3.3 Errata page</a> for a list
|
|
of bugs and workarounds.
|
|
<li>See a <a href="plus33.html">detailed log of changes</a> between the
|
|
3.2 and 3.3 releases.
|
|
</ul>
|
|
<p>
|
|
All applicable copyrights and credits are in the src.tar.gz,
|
|
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
|
|
files fetched via <code>ports.tar.gz</code>.
|
|
</table>
|
|
|
|
<hr>
|
|
|
|
<section id=new>
|
|
<h3>What's New</h3>
|
|
<p>
|
|
This is a partial list of new features and systems included in OpenBSD 3.3.
|
|
For a comprehensive list, see the <a href="plus33.html">changelog</a> leading
|
|
to 3.3.
|
|
<p>
|
|
|
|
<ul>
|
|
<li>Integration of the
|
|
<a href="http://www.research.ibm.com/trl/projects/security/ssp/">ProPolice</a>
|
|
stack protection technology, by Hiroaki Etoh, into the system
|
|
compiler. This protection is enabled by default. With this change,
|
|
function prologues are modified to rearrange the stack: a random
|
|
canary is placed before the return address, and buffer variables are
|
|
moved closer to the canary so that regular variables are below, and
|
|
harder to smash. The function epilogue then checks if the canary is
|
|
still intact. If it is not, the process is terminated. This change
|
|
makes it very hard for an attacker to modify the return address used
|
|
when returning from a function.
|
|
<p>
|
|
|
|
<li>W^X (pronounced: "W xor X") on architectures capable of
|
|
pure execute-bit support in the MMU (sparc, sparc64, alpha,
|
|
hppa). This is a fine-grained memory permissions layout, ensuring that
|
|
memory which can be written to by application programs can not be
|
|
executable at the same time and vice versa. This raises the bar on
|
|
potential buffer overflows and other attacks: as a result, an attacker
|
|
is unable to write code anywhere in memory where it can be executed.
|
|
(NOTE: i386 and powerpc do not support W^X in 3.3; however, 3.3-current
|
|
already supports it on i386, and both these processors are expected to
|
|
support this change in 3.4).
|
|
<p>
|
|
|
|
<li>Still more reduction in setuid and setgid binaries, and more chroot
|
|
use throughout the system. While some programs are still setuid or
|
|
setgid, almost all of them grab a resource and then quickly revoke
|
|
privilege.
|
|
<p>
|
|
|
|
<li>The X window server and xconsole now use privilege separation,
|
|
for better security. Also, xterm has been modified to do privilege
|
|
revocation. xdm runs as a special user and group, to further constrain
|
|
what might go wrong.
|
|
<p>
|
|
|
|
<li>As usual, improvements to the documentation, notably the man pages and
|
|
the Web FAQ. An increasingly large part of the website is available in several
|
|
languages.
|
|
<p>
|
|
|
|
<li>More complete collection and better tested set of "ports".
|
|
setuid/setgid ports have been significantly reduced as well. Many of the
|
|
ones that remain setuid have been modified to revoke privileges as early
|
|
as possible.
|
|
<p>
|
|
|
|
<li>Over 2000 pre-built and tested packages.
|
|
<p>
|
|
|
|
<li>Significant improvements to the pthread library.
|
|
<p>
|
|
|
|
<li>An incredible amount of enhancements and stability improvements to
|
|
our packet filter, <a
|
|
href="https://man.openbsd.org/pf.4">pf</a>,
|
|
including:
|
|
<ul>
|
|
<li>Queue, a bandwidth management system (uses altq underneath)
|
|
<li>Anchors, allowing subrulesets which can be loaded and modified independently
|
|
<li>Tables, a very efficient way for large address lists in rules
|
|
<li>Address pools, redirect/NAT to multiple addresses and thus load balancing
|
|
<li>Configuration language has been made much more flexible
|
|
<li>TCP window scaling support
|
|
<li>Full CIDR support
|
|
<li>Early checksum verification return on invalid packets
|
|
<li>Performance boost: large rulesets load much faster now
|
|
<li><a href="https://man.openbsd.org/spamd">spamd</a>,
|
|
a spam deferral daemon, which SMTP connections can be redirected to.
|
|
This daemon handles connections based on black lists and white lists,
|
|
tar-pits the connections, and ensures that the spammer knows why their
|
|
mail has not been accepted.
|
|
</ul>
|
|
|
|
<p>
|
|
|
|
<li>Much improved <a href="sparc64.html">sparc64</a> support: support for
|
|
more models and several major bugs eradicated.
|
|
|
|
<p>
|
|
|
|
<li>The system includes the following major components from outside suppliers:
|
|
<ul>
|
|
<li>XFree86 4.2.1 (and i386 contains 3.3.X servers also, thus providing support for all chipsets)
|
|
<li>Gcc 2.95.3 (+ patches)
|
|
<li>Perl 5.8.0 (+ patches)
|
|
<li>Apache 1.3.27, mod_ssl 2.8.12, DSO support (+ patches)
|
|
<li>OpenSSL 0.9.7beta3 (+ patches)
|
|
<li>Groff 1.15
|
|
<li>Sendmail 8.12.9
|
|
<li>Bind 9.2.2 (+ patches)
|
|
<li>Lynx 2.8.2rel.1 with HTTPS support added (+ patches)
|
|
<li>Sudo 1.6.7
|
|
<li>Ncurses 5.2
|
|
<li>Latest KAME IPv6
|
|
<li>KTH Kerberos 1.1.1
|
|
<li>Heimdal 0.4e (+ patches)
|
|
<li>OpenSSH 3.6
|
|
</ul>
|
|
<p>
|
|
|
|
<li>Many improvements for security and reliability (look for the red
|
|
print in the <a href="plus33.html">complete changelog</a>).
|
|
<p>
|
|
<li> and much more.
|
|
|
|
</ul>
|
|
</section>
|
|
|
|
<hr>
|
|
|
|
<section id=install>
|
|
<h3>How to install</h3>
|
|
|
|
<p>
|
|
Following this are the instructions which you would have on a piece of
|
|
paper if you had purchased a CDROM set instead of doing an alternate
|
|
form of install. The instructions for doing an ftp (or other style
|
|
of) install are very similar; the CDROM instructions are left intact
|
|
so that you can see how much easier it would have been if you had
|
|
purchased a CDROM instead.
|
|
<p>
|
|
|
|
<hr>
|
|
Please refer to the following files on the three CDROMs or ftp mirror for
|
|
extensive details on how to install OpenBSD 3.3 on your machine:
|
|
<p>
|
|
<ul>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/i386/INSTALL.i386">
|
|
.../OpenBSD/3.3/i386/INSTALL.i386 (on CD1)</a>
|
|
<p>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/macppc/INSTALL.macppc">
|
|
.../OpenBSD/3.3/macppc/INSTALL.macppc (on CD2)</a>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/vax/INSTALL.vax">
|
|
.../OpenBSD/3.3/vax/INSTALL.vax (on CD2)</a>
|
|
<p>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/sparc/INSTALL.sparc">
|
|
.../OpenBSD/3.3/sparc/INSTALL.sparc (on CD3)</a>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/sparc64/INSTALL.sparc64">
|
|
.../OpenBSD/3.3/sparc64/INSTALL.sparc64 (on CD3)</a>
|
|
<p>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/alpha/INSTALL.alpha">
|
|
.../OpenBSD/3.3/alpha/INSTALL.alpha</a>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/hp300/INSTALL.hp300">
|
|
.../OpenBSD/3.3/hp300/INSTALL.hp300</a>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/hppa/INSTALL.hppa">
|
|
.../OpenBSD/3.3/hppa/INSTALL.hppa</a>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/mac68k/INSTALL.mac68k">
|
|
.../OpenBSD/3.3/mac68k/INSTALL.mac68k</a>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/3.3/mvme68k/INSTALL.mvme68k">
|
|
.../OpenBSD/3.3/mvme68k/INSTALL.mvme68k</a>
|
|
</ul>
|
|
</section>
|
|
|
|
<hr>
|
|
|
|
<section id=quickinstall>
|
|
|
|
<p>
|
|
Quick installer information for people familiar with OpenBSD, and the
|
|
use of the "disklabel -E" command. If you are at all confused when
|
|
installing OpenBSD, read the relevant INSTALL.* file as listed above!
|
|
|
|
<h3>OpenBSD/i386:</h3>
|
|
|
|
<p>
|
|
Play with your BIOS options to enable booting from a CD. The OpenBSD/i386
|
|
release is on CD1. If your BIOS does not support booting from CD, you will need
|
|
to create a boot floppy to install from. To create a boot floppy write
|
|
<i>CD1:3.3/i386/floppy33.fs</i> to a floppy and boot via the floppy drive.
|
|
|
|
<p>
|
|
Use <i>CD1:3.3/i386/floppyB33.fs</i> instead for greater scsi controller
|
|
support, or <i>CD1:3.3/i386/floppyC33.fs</i> for better laptop support.
|
|
|
|
<p>
|
|
If you are planning on dual booting OpenBSD with another OS, you will need to read the included INSTALL.i386 document.
|
|
|
|
<p>
|
|
To make a boot floppy under MS-DOS, use the "rawrite" utility located
|
|
at <i>CD:/3.3/tools/rawrite.exe</i>. To make the boot floppy under a Unix OS, use the <a href="https://man.openbsd.org/dd.1">dd(1)</a> utility. The following is an example usage of <a href="https://man.openbsd.org/dd.1">dd(1)</a>, where the device could be "floppy", "rfd0c", or "rfd0a".
|
|
|
|
<blockquote><pre>
|
|
# <kbd>dd if=<file> of=/dev/<device> bs=32k</kbd>
|
|
</pre></blockquote>
|
|
|
|
<p>
|
|
Make sure you use properly formatted perfect floppies with NO BAD BLOCKS or your install will most likely fail. For more information on creating a boot floppy and installing OpenBSD/i386 please refer to <a href="faq/faq4.html#MkFlop">this page</a>.
|
|
|
|
<h3>OpenBSD/macppc:</h3>
|
|
|
|
<p>
|
|
Put the CD2 in your CDROM drive and poweron your machine while holding down the
|
|
<i>C</i> key until the display turns on and shows <i>OpenBSD/macppc boot</i>.
|
|
|
|
<p>
|
|
Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
|
|
/3.3/macppc/bsd.rd</i>
|
|
|
|
<h3>OpenBSD/vax:</h3>
|
|
|
|
<p>
|
|
Boot over the network via mopbooting as described in INSTALL.vax.
|
|
|
|
<h3>OpenBSD/sparc:</h3>
|
|
|
|
<p>
|
|
The 3.3 release of OpenBSD/sparc is located on CD3. To boot off of this CD you can use one of the two commands listed below, depending on the version of your ROM.
|
|
|
|
<blockquote><pre>
|
|
> <kbd>boot cdrom 3.3/sparc/bsd.rd</kbd>
|
|
or
|
|
> <kbd>b sd(0,6,0)3.3/sparc/bsd.rd</kbd>
|
|
</pre></blockquote>
|
|
|
|
<p>
|
|
If your sparc does not have a CD drive, you can alternatively boot from floppy.
|
|
To do so you need to write "CD3:3.3/sparc/floppy33.fs" to a floppy. For more information see <a href="faq/faq4.html#MkFlop">this page</a>. To boot from the floppy use one of the two commands listed below, depending on the version of your ROM.
|
|
|
|
<blockquote><pre>
|
|
> <kbd>boot floppy</kbd>
|
|
or
|
|
> <kbd>boot fd()</kbd>
|
|
</pre></blockquote>
|
|
|
|
<p>
|
|
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.
|
|
|
|
<p>
|
|
If your sparc doesn't have a floppy drive nor a CD drive, you can either
|
|
setup a bootable tape, or install via network, as told in the
|
|
INSTALL.sparc file.
|
|
|
|
<h3>OpenBSD/sparc64:</h3>
|
|
|
|
<p>
|
|
Put the CD3 in your CDROM drive and type <i>boot cdrom</i>.
|
|
|
|
<p>
|
|
If this doesn't work, or if you don't have a CDROM drive, you can write
|
|
<i>CD3:3.3/sparc64/floppy33.fs</i> to a floppy and boot it with <i>boot
|
|
floppy</i>.<br>
|
|
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.
|
|
|
|
<p>
|
|
You can also write <i>CD3:3.3/sparc64/miniroot33.fs</i> to the swap partition on
|
|
the disk and boot with <i>boot disk:b</i>.
|
|
|
|
<p>
|
|
If nothing works, you can boot over the network as described in INSTALL.sparc64
|
|
|
|
<h3>OpenBSD/alpha:</h3>
|
|
|
|
<p>
|
|
Write <i>3.3/alpha/floppy33.fs</i> or
|
|
<i>3.3/alpha/floppyB33.fs</i> (depending on your machine) to a diskette and
|
|
enter <i>boot dva0</i>. Refer to INSTALL.alpha for more details.
|
|
|
|
<p>
|
|
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.
|
|
|
|
<h3>OpenBSD/hp300:</h3>
|
|
|
|
<p>
|
|
Boot over the network by following the instructions in INSTALL.hp300.
|
|
|
|
<h3>OpenBSD/hppa:</h3>
|
|
|
|
<p>
|
|
Boot over the network by following the instructions in INSTALL.hppa or the
|
|
<a href="hppa.html#netboot">hppa platform page</a>.
|
|
|
|
<h3>OpenBSD/mac68k:</h3>
|
|
|
|
<p>
|
|
Boot MacOS as normal and partition your disk with the appropriate A/UX
|
|
configurations. Then, extract the Macside utilities from
|
|
<i>3.3/mac68k/utils</i> onto your hard disk. Run Mkfs to create your
|
|
filesystems on the A/UX partitions you just made. Then, use the
|
|
"BSD/Mac68k Installer" to copy all the sets in <i>3.3/mac68k/</i> onto your
|
|
partitions. Finally, you will be ready to configure the "BSD/Mac68k
|
|
Booter" with the location of your kernel and boot the system.
|
|
|
|
<h3>OpenBSD/mvme68k:</h3>
|
|
|
|
<p>
|
|
You can create a bootable installation tape or boot over the network.<br>
|
|
The network boot requires a MVME68K BUG version that supports the <i>NIOT</i>
|
|
and <i>NBO</i> debugger commands. Follow the instructions in INSTALL.mvme68k
|
|
for more details.
|
|
</section>
|
|
|
|
<hr>
|
|
|
|
<section id=sourcecode>
|
|
<h3>Notes about the source code</h3>
|
|
<p>
|
|
<code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
|
|
This file contains everything you need except for the kernel sources, which are
|
|
in a separate archive. To extract:
|
|
<blockquote><pre>
|
|
# <kbd>mkdir -p /usr/src</kbd>
|
|
# <kbd>cd /usr/src</kbd>
|
|
# <kbd>tar xvfz /tmp/src.tar.gz</kbd>
|
|
</pre></blockquote>
|
|
<p>
|
|
<code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
|
|
This file contains all the kernel sources you need to rebuild kernels.
|
|
To extract:
|
|
<blockquote><pre>
|
|
# <kbd>mkdir -p /usr/src/sys</kbd>
|
|
# <kbd>cd /usr/src</kbd>
|
|
# <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
|
|
</pre></blockquote>
|
|
<p>
|
|
Both of these trees are a regular CVS checkout. Using these trees it
|
|
is possible to get a head-start on using the anoncvs servers as
|
|
described <a href="anoncvs.html">here</a>.
|
|
Using these files
|
|
results in a much faster initial CVS update than you could expect from
|
|
a fresh checkout of the full OpenBSD source tree.
|
|
</section>
|
|
|
|
<hr>
|
|
|
|
<section id=ports>
|
|
<h3>Ports Tree</h3>
|
|
<p>
|
|
A ports tree archive is also provided. To extract:
|
|
<blockquote><pre>
|
|
# <kbd>cd /usr</kbd>
|
|
# <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
|
|
</pre></blockquote>
|
|
<p>
|
|
The <i>ports/</i> subdirectory is a checkout of the OpenBSD ports tree. Go
|
|
read the <a href="faq/faq15.html">ports</a> page
|
|
if you know nothing about ports
|
|
at this point. This text is not a manual of how to use ports.
|
|
Rather, it is a set of notes meant to kickstart the user on the
|
|
OpenBSD ports system.
|
|
<p>
|
|
Certainly, the OpenBSD ports system is not complete. It is doubtful it
|
|
will ever be. However, it is growing very fast and getting more stable.
|
|
Almost all ports provided with this release should build without problems
|
|
on most architectures (over 2000 packages build on i386, for instance).
|
|
<p>
|
|
The <i>ports/</i> directory represents a CVS (see the manpage for
|
|
<a href="https://man.openbsd.org/cvs.1">cvs(1)</a> if
|
|
you aren't familiar with CVS) checkout of our ports. As with our complete
|
|
source tree, our ports tree is available via anoncvs. So, in
|
|
order to keep current with it, you must make the <i>ports/</i> tree
|
|
available on a read-write medium and update the tree with a command
|
|
like:
|
|
<blockquote><pre>
|
|
# <kbd>cd [portsdir]/; cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_3_3</kbd>
|
|
</pre></blockquote>
|
|
<p>
|
|
[Of course, you must replace the local directory and server name here
|
|
with the location of your ports collection and a nearby anoncvs
|
|
server.]
|
|
<p>
|
|
Note that most ports are available as packages on our mirrors. Updated
|
|
packages for the 3.3 release will be made available if problems arise.
|
|
<p>
|
|
If you're interested in seeing a port added, would like to help out, or just
|
|
would like to know more, the mailing list
|
|
<a href="mail.html">ports@openbsd.org</a> is a good place to know.
|
|
</section>
|