1. 23

  2. 2

    OpenBSD has a well deserved reputation for security of the base system. However, Firefox’s sandbox doesn’t have any support for sandboxing on OpenBSD, as far as I’m aware, neither does Chromium. This seems like it makes OpenBSD a pretty bad choice if your goal is a secure desktop environment.

    1. [Comment removed by author]

      1. 4

        I didn’t realize that OpenBSD maintained patches to add pledge support, that does indeed improve the situation substantially.

        1. 1

          FreeBSD and NetBSD have neither

          NetBSD does have W^X and once 8.0 is released, it will be a default. However, it doesn’t work for firefox.

          It lacks custom sandboxing from firefox, but security-conscious people run firefox as another user in a chroot and use Xnest/Xephyr.

        2. 3

          It would be nice to find a “security-first”-minded OS that would go so far as to take responsibility for an included fully-featured web browser.

          I dream of the day a ports inclusion criteria is to meet some reasonable security auditing standard.

          1. 1

            I wonder if there is a way to “translate” seccomp into pledge…