Today we want to thank the #FreeBSD core team for all their hard work and contributions.

Our favorite OS wouldn't be what it is today without their work.

Thank you!

So this is where my peeps at!

Hello everyone, my name is Børge and I am happy to get back into the BSD world, though only for personal projects for now.

I was a sysadmin for a small telco a while ago and we used Solaris/SPARC and FreeBSD/i386 for our servers, while I tried my hand at OpenBSD for my personal server. The network was all Cisco at the beginning, with some Juniper equipment for peering at the end but I did not get any experience with those unfortunately. I do have a certificate in SS7 somewhere, the signaling protocol telcos use for voice calls, but have forgotten pretty much all of it.

These days work is "cloud everything", which all seems to be based on Linux-something.

Reminiscing of "the good, old days" I wondered if I could run a BSD server anywhere to tap into my sysadmin background a little, or if I would have to use some Linux distribution.

Searching for BSD hosting providers, I am very happy I discovered #OpenBSDAms which I use for OpenBSD hosting (obviously).

Then I came across #BoxyBSD where I was lucky enough to get a FreeBSD instance.

Last but not least I came across a cheap VPS provider where I could run NetBSD. I don't mention the provider because I'm not sure I can recommend them yet.

I've been on Mastodon a little while, mostly reading as there is so much of interest to find here, though also because I'm quite shy, but hope to maybe post something about what I do now and then.

I really like all the *BSDs, they just do things in a way that seems sensible to me, so being here feels a lot like coming home.

So that's me a little about me. #introduction

How are you?

Okay, I did something... time to provide BSD boxes at @BoxyBSD a bit closer to our buddies in Asia! #RUNBSD

New @bsdcan video posted:

Controlled credentials transitions without privileges: mac_do(4), mdo(1) and setcred(2) by Olivier Certner

https://youtu.be/Wl2hewfxcKM

In this talk, we will present a project that aims at allowing controlled process credentials transitions without using setuid executables but instead leveraging FreeBSD's MAC framework.

Traditional credentials-changing programs, such as sudo(8), have a non-negligible attack surface as they often include a lot of infrequently used features and mechanisms that can be dangerous from a security standpoint (e.g., loadable modules). As these programs have to run as 'root', compromising them can have catastrophic consequences.

The mac_do(4) kernel module has been introduced to allow unprivileged processes to change credentials, provided the requested changes are explicitly allowed by rules set by an administrator. It has recently undergone major changes. First, thanks to a redesign of rules, it is now possible to specify full sets of user and group IDs that must be present or absent in the final credentials for a transition to be accepted. Second, each jail can be configured with a different set of rules, allowing different transitions to be allowed as needed, or to inherit from the parent jail.

We will describe how mac_do(4)'s credentials rules work, what the role of the mdo(1) companion program is, and what you can do with them in practice.

We will also touch on some aspects of the implementation, notably why we needed to introduce the new setcred(2) system call, which allows to change all process credentials in a single call, and possibly those that are related to the use of some FreeBSD's kernel sub-systems (notably, sysctl, jails and OSD).

While the current implementation is of production quality and immediately useful, there are lots of possible ways to extend it to cover more scenarios and to progress towards our ideal of having all credentials-changing programs work without the setuid bit. We will present them in the hope to get feedbacks.

A Self-hosted, BSD-native Gemini Protocol Server Stack - by @rqm@exquisite.social - @rqm@journal.bsd.cafe

For those who are adventurous enough to explore the non-http corners of the Internet, the Gemini protocol is a delightful experience to use. It has been around a number of years, making the biggest bang around the time when discontent with the web’s general demise started to reach current heights (so maybe around 2022).

https://journal.bsd.cafe/2025/07/22/a-self-hosted-bsd-native-gemini-protocol-server-stack/

WordPress on FreeBSD with BastilleBSD: A Secure Alternative to Linux/Docker

Tired of the Linux/Docker “monoculture” for WordPress? This article guides you step-by-step through the secure installation of WordPress on FreeBSD using @BastilleBSD
Discover how jail separation, performance, and the versatility of ZFS offer a more robust and easily manageable environment, far from common vulnerabilities often linked to poorly maintained plugins. Get ready to make your site more secure and reliable.

https://journal.bsd.cafe/2025/07/21/wordpress-on-freebsd-with-bastillebsd-a-secure-alternative-to-linux-docker/

Hey, yeah, so I installed the fluffy firewall on my router... you said what? Puffy?

when things go south, make sure to run #BSD

Power outage just happened....
#OPNSense firewalls are fine
#FreeBSD server is fine

When in doubt #RUNBSD