April 21, 2006

Using OpenBSD on the desktop

Author: Manolis Tzanidakis

Over the years, OpenBSD has built a reputation for integrated security and reliability, but most people think of it as an operating system suitable only for firewalls and servers. The truth is that OpenBSD also works well as a desktop system; in fact, I use it on an IBM ThinkPad R50e notebook as my main system.

The clear advantage of OpenBSD over other operating systems is the security it offers. The basic philosophy of the project is that security comes as a result of clean, correct code design. A quick search on the BUGTRAQ mailing list archive shows that bugs found on programs do not affect OpenBSD or were already fixed. Of course, given some work by users, security can also be improved on other operating systems, but OpenBSD is "secure by default"; no remote-listening daemons are enabled and features such as ProPolice and the new mmap-based malloc function (introduced in version 3.8) assure that your system is protected from yet undiscovered software bugs and zero-day exploits. The Internet is not a safe place and lots of people want to crack our systems for fun or profit, so it's better to be protected as best as we can.

OpenBSD's clean code and design also provide rock-solid stability. I used to have lots of problems and crashes with new versions of Linux (kernel 2.6.x) and FreeBSD (versions 5.x and 6.x). The main focus of OpenBSD developers is to provide programs that work efficiently and thus prefer to improve their code rather than just add more new features and end up with a bloated and unstable product.

OpenBSD supports a wide range of hardware -- check the official supported platforms list and this unofficial site to find if your hardware is supported. OpenBSD is ideal for older hardware too. Man pages of device drivers also list supported hardware; for instance, the ath man page has a list of specific vendors and models of wireless network adapters based on Atheros chips. If you carefully select your hardware you should have no troubles, since all supported hardware works out of the box on the default installation.

Installing and configuring OpenBSD is not as difficult as you might think. It's like setting up a GNU/Linux distribution that lacks graphical configuration tools, such as Slackware or Gentoo. An experienced Linux user should feel right at home, and an inexperienced one should not have any difficulties after reading the installation guide. One significant feature of OpenBSD is the documentation; every part of the OS (both kernel and userland) has a man page and the FAQ is quite helpful, especially for new users.

OpenBSD ships X.Org packaged as x*.tgz installation sets. If you don't select them during the initial installation, you can easily install X afterwards by unpacking the tarballs in / with a command like for i in x*.tgz; do tar -zxvpf $i -C /; done. The supplied /usr/X11R6/README file includes instructions on how to set up required kernel parameters and create a configuration file for your system.

The only problem with X is that OpenBSD has no 3D acceleration (DRI) support, which means you can't play games that require it. However this a good compromise between functionality and security; for more information check this post by OpenBSD project leader Theo de Raadt on the openbsd-misc mailing list.

OpenBSD uses the ports package management (a source-based system similar to Gentoo's portage) for installing third-party applications. Installing an application from ports is simple -- just unpack the ports collection tarball, ports.tar.gz, from the installation CD-ROM or an FTP mirror into /usr by issuing tar -zxvpf ports.tar.gz -C /usr, then switch to the directory of the application you want to install and run make install clean. Ports will download the source code package, apply any required patches, compile, and install the application along with its dependencies automatically. OpenBSD offers pre-built packages for most ports, which can be installed easily using a command like pkg_add pkgname. For more information about ports and packages you should read their man pages and chapter 15 of the project's FAQ.

Third-party applications in ports are not extensively audited for security flaws, so I'd suggest building applications as a non-root user and using sudo for the parts that require root privileges, such as the installation phase. To allow non-root users to build ports, change the group of the ports directory to wsrc with the command chgrp -R wsrc /usr/ports, and allow write access to members of that group by issuing chmod -R g+w /usr/ports. After that, add your non-root user to the wsrc and wheel groups with usermod -G wsrc,wheel username, run visudo to edit the sudoers file and uncomment (remove the # character) the line #%wheel ALL=(ALL) ALL. Instruct ports to use sudo for installing packages by issuing echo 'SUDO=/usr/bin/sudo' >> /etc/mk.conf. All these commands must be run by root.

To further improve security you can use systrace to force the build procedure to stay inside allowed directories, and prohibit writing in illegal places, thereby reducing the risk of a damaged system. Just run echo 'USE_SYSTRACE=Yes' >> /etc/mk.conf as root to enable it. This adds about 20% overhead to build times, but, in my opinion, it's worth it.

OpenBSD offers a broad selection of window managers. Both KDE and GNOME are available, along with other popular window managers such as Xfce, FVWM, and Fluxbox.

You also have a choice of Web browsers. Firefox is available, but installing Java and Flash Player plugins for it is not an easy task. The Java plugin is part of the Java Development Kit (JDK). Because of Sun's restrictive SCSL license, pre-built JDK binary packages cannot be shipped by OpenBSD, so you must build them from ports -- a time-consuming process. It took around about six hours to finish on my 1.5GHz notebook with 512MB RAM, and required almost 2GB of disk space.

By contrast, Adobe distributes the Flash Player plugin only in binary form for Linux, and offers no native OpenBSD version. Luckily, OpenBSD supports running Linux binaries under emulation without noticeable speed loss. However, Linux shared libraries and modules cannot be used with OpenBSD executables, so to use Flash Player you will need a browser built for Linux as well. If you prefer an alternative to Firefox (for which a Linux version is of course available), Opera and a Flash plugin for Opera are available in ports, though they cannot be distributed as packages due to licensing reasons. You can install them by running make install clean from their directories in ports.

For more information about Java and Flash you should check the OpenBSD FAQ, which also has instructions on how to build JDK.

Openoffice.org does not have a native port for OpenBSD either, but it runs perfectly under Linux emulation. Check this site for instructions and this one for unofficial OOo ports and packages. For an explanation for the lack of a native port you should check the slides from the recent Hackathon in Venice. Other office applications, such as Abiword and Gnumeric, work without problems.

OpenBSD supports printing through the supplied spooler daemon, lpd, or by installing CUPS, the spooler most GNU/Linux distributions use by default. I had no problems printing on my Hewlett-Packard Deskjet 3940 printer. I installed CUPS on my system using the pre-built package, followed the instructions on the install message on how to replace the supplied lpd spooler with cupsd, and finally configured my printer using the CUPS lpadmin tool.

Most multimedia applications available for Linux are ported to OpenBSD. I use XMMS for audio playback, abcde for converting my audio CDs to Ogg/Vorbis, the GIMP and ImageMagick for image editing, Audacity and SoX for audio processing, and MPlayer for video playback and encoding. I installed all these applications from packages, except for MPlayer, whose build I chose to optimize for better performance, especially for encoding with mencoder. In order to optimize it on i386 machines, switch to the x11/mplayer directory in your ports base (usually /usr/ports), open Makefile with your favorite editor, find the line --enable-runtime-cpudetection and replace it with --disable-runtime-cpudetection. Then run :

export CFLAGS="-march=CPU_ARCH -O3 -fomit-frame-pointer -ffast-math"
make install clean
unset CFLAGS

replacing CPU_ARCH with your CPU type -- for example, pentium3 or athlon. The aforementioned CFLAGS may cause stability problems on MPlayer -- although they work fine for me -- so if you find any problems, try to reproduce them using the pre-built package before sending any bug reports. Invoke pkg_info mplayer | less for instructions on how to enable playback of proprietary formats, including RealAudio and WMV -- with Win32 codecs on i386 systems.

OpenBSD doesn't support FireWire devices, so you can't use it to import video from a digital video camcorder.

For more information on multimedia -- how to configure your sound card, play audio CDs, and burn CDs and DVDs -- read chapter 13 of the FAQ.

OpenBSD's clean design and remarkable stability, along with its proactive security, not only make OpenBSD a potential candidate for home desktop users but also every system administrator's dream come true for business environments.

Category:

  • BSD