So, when I replace the user Linux box with OpenBSD, I won't be installing the sudo package.

The question is: Do I just let them get a "command not found"? Or do I write a little script that just tells them to knock it off?

@kurtm I am about to replace an aged and not upgradable Gentoo box for casual shell users with some FreeBSD instance as well soon
@saper Feeling nostalgic for mid-1990s UNIX? :D
I installed a FreeBSD box for my wife (she wanted to run... ventrilo?). It felt *SO* much like UNIX from the mid 90s to me.
Apparently (I think @lattera will confirm), FreeBSD's security measures are still from the mid-90s. :)
@kurtm @lattera I don't know what are the security measures from the 1990s? Ever tried things like capsicum for example? Or Mandatory Access Control?

@saper @kurtm

Capsicum is great as a capabilities framework, not as an exploit mitigation. It only works when applications explicitly integrate with it (and with a not-too-permissive set of capabilities). Additionally, some applications cannot be Capsicum-ized.

#FreeBSD is around 16 years behind the rest of the world as far as exploit mitigations are concerned. No ASLR, no W^X, no CFI, no meaningful exploit mitigations.

@kurtm @saper

Capsicum also doesn't prevent data-only attacks (nor can it).

@lattera @kurtm Of course you are right re mitigation measures, we were just complaining about UNIX multiuser model. By the way I only now CFI as a stack unwinding information feature (as in assembler directives to generate DWARF info), its application here is new to me - any pointers?
@saper If you don't know, @lattera does HardenedBSD. Basically adds the missing security to FreeBSD. If I need to run FreeBSD, I'm going to run HardenedBSD.
@kurtm @lattera needs no introduction :)
@saper @lattera Ok, good. Just realized I tagged him in and you might not know him. :)