September 2003
Book Review: Absolute OpenBSD
By Cameron Laird
Absolute OpenBSD
UNIX for the Practical Paranoid
by Michael W. Lucas
No Starch Press, July 2003
ISBN 1-886411-99-9
528 pages, $39.95
 |
I recommend Absolute OpenBSD to all programmers and administrators working with the OpenBSD operating system (OS), or considering it. That's quite a lot of people; in fact, there are a lot of organizations that need OpenBSD, but don't yet realize it.
OpenBSD packages a unique combination of security and usability. While I don't agree with Absolute OpenBSD's back cover when it gushes that "OpenBSD is the most secure operating system in the world" — I can make arguments for Multics, QNX, OS/400, Plan 9, and more — there's no denying that OpenBSD's security profile is far stronger than that of any of its direct competitors, certainly more "than any variety of Linux or Windows." The United States Department of Defense and National Security Agency, among other security-conscious actors, have a considerable stake in OpenBSD.
Simple story
The essential OpenBSD story is a simple one — if you want POSIX compatibility and a programming and administration model that's like other Unixes, and you want the most secure computing available, you choose OpenBSD. If you have or might have OpenBSD, you need a copy of Absolute OpenBSD to help understand what you're doing. No other mainstream operating system focuses on security as OpenBSD does, and no other book has Absolute OpenBSD's concentration on OpenBSD.
I don't recommend Absolute OpenBSD merely by default, as the only OpenBSD-oriented book available. It's well written, independently of the uniqueness of its subject — it's accurate (to this point, I've found no errors beyond obvious typographical ones), well-informed, and broad. It does a good job of instructing the reader in how to work with OpenBSD.
At the same time, Absolute OpenBSD disappoints me — it's no more than "good". I think it misses, a bit, in both tone and topic.
Picking a fight?
It surprises me to criticize the tone. One of the most important contributions books make is to teach readers how to think about a subject, or, more idiomatically, about its culture. While Absolute OpenBSD author Michael W. Lucas is more celebrated for his FreeBSD achievements, he certainly knows the related OpenBSD world well, and he accurately conveys "the OpenBSD way" throughout his book.
What's not to like about that? For my taste, Lucas' acculturation efforts are excessive; he "goes overboard". The subtitle that appears on the front cover — UNIX for the Practical Paranoid — isn't just clever and apt. It's also pugnacious and cute to a distracting degree, a degree repeated by many of the chapters of the book.
The author's exactly right, for example, when he starts Chapter 12 on "Building Custom Kernels" with an explanation of how kernel customization is regarded differently among OpenBSDers than among, say, Linux adepts. It's important to understand this difference. For me, though, Lucas overdoes the point. Too much energy goes to catty remarks about Microsoft and defenses of the behavior of the OpenBSD elite. However much the facts justify them, these personal comments read to me more as self-indulgence than the technical depth and engineering insight I want from a book like Absolute OpenBSD.
At the same time, the frustration the book leaves testifies to its value — Lucas' descriptions are interesting and informative, and I just want more. There are two kinds of limits in his material that I wish he'd "pushed back" farther. First, the whole reason for OpenBSD is security, or, more broadly, reliability. Absolute OpenBSD could go even farther in detailing OpenBSD's unique security capabilities. One of the best aspects of the book, for instance, is the three concluding chapters on "packet filter" (PF), a powerful networking facility built into the OpenBSD kernel. The OS has lots of other strengths, though, and I think Absolute OpenBSD would be a better book if Lucas had expanded his treatment of such subjects as setuid reduction, ProPolice, the protected stack, W^X, PROT_purity, cryptographic hardware, daemon cleanup, and ALTQ beyond the paragraph or two they average. His treatment of systrace is a model — certainly not as long as what he does for PF, but deep enough to be precise and useful.
Absolute OpenBSD also misses out on the opportunity to give a sense of how it feels to run OpenBSD as a "desktop". The book is relentlessly serious in treating OpenBSD as a "server" platform. In fact, though, OpenBSD makes for an interesting and thoroughly practical primary desktop. While I can understand Lucas' decision to regard desktop use as a specialized pursuit he'd rather avoid, I'm certain many of his readers will want to know more about desktop applications and hardware than Absolute OpenBSD gives them.
If you want to learn what OpenBSD can do in your data center, or how to get more from an existing OpenBSD installation, buy your own copy of Absolute OpenBSD. The book covers all the OpenBSD essentials — the ports-and-packages system, secure system administration, host configuration, and more — and does so more readably than the available online documentation. Absolute OpenBSD doesn't have everything I want; it has more than enough, though, that I'm holding onto my copy.
Vice president of Phaseit, Inc., Cameron Laird frequently reviews books for UnixReview, and co-authors the monthly "Regular Expressions" column.