After studying unveil and pledge, I am quite confused and get more close to believe the ironic slogan that advertises: security by default . 😂

unveil and pledge are only implemented on the code level which means it’s easy to make them in your own programs (and the software that you are extremely familiar).

How about a bunch of third-party software you use daily even though they are open source? i bet none of you read through the source of the software you use.

There’s no guarantees that the software in ports are equipped with unveil and pledge.

So you can’t trust these code unless you add these system calls by your hands.

So only the software in stock (shipped with the base) are satisfied in terms of such protection — this is what they mean “ by default” , right? 😂


@mdrights security by default is not about pledge & unveil only. It is about default file system structure, OS architecture decisions, randomization, and configs that are turned on by default.

BTW, pledge/unveil are patched to many 3rd party software by openbsd team. Specially if the software is both heavily used by obsd users and is often attacked. For example firefox, chrome, or nginx, to name a few.

Aha I know.

oh cool thanks for the heads up. 💆‍♂️

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.