Privilege separation for OpenBSD

[TheRealDev0]

Hello,

First off, thank you very much for your continued work on mrouted, it's a service that I rely on daily.

My firewall/router is running OpenBSD (7.2) and as you know, the version of mrouted included in the base install (3.8) is quite old. When I asked on the Misc mailing list about including an updated version, Theo advised that the current version did not contain the necessary security features (his reply linked below).

I am running the current version of mrouted to route multicast traffic between two routing domains (via a set of pair(4) interfaces). Version 3.8 of mrouted does not allow me to attach to both pair interfaces, whereas 4.4 does, hence the request.

Thank you for your time and consideration.

https://marc.info/?l=openbsd-misc&m=164582045627328&w=2

[troglobit]

Hi, awesome to hear there is an interest to include my restored (3.9-beta) version of mrouted in OpenBSD. To be perfectly honest, it would be an honor.

I have limited time to spend on this, but I'm willing to put in the effort as long as there are clear directions for a "definition of done", so to speak. Chroot, privsep, unveil, and using the OpenBSD arc4random() (even though it's not true random the DVMRP protocol neeeds), are definitely stuff that would not take too long to integrate into the codebase.

Curious, last time I tried porting my multicast daemons to OpenBSD they had removed the multicast stack completely. Have they reverted that, implemented a new, or was it all just one of my many nightmares? Anyway, that "notion" of mine is why I haven't done any tested for years on OpenBSD, otherwise it's my favorite BSD <3 despite my being a devout Linux user.

[troglobit]

I've created a new milestone, v4.5, and added this issue to it. Please let me know if you, or anyone else, is interested in helping out testing.

[TheRealDev0]

That's great news, thank you very much! I am excited about this and it would be a pleasure to assist with testing.

Multicast support in the OpenBSD kernel is still supported - PIM support was removed from the kernel with the release of version 6.1: https://www.openbsd.org/plus61.html -> "Removed PIM support from the multicast stack."

[troglobit]

Ah, yeah that's probably what I mixed up with the general functionality of the mrouting stack, thanks!

Do you know if there's any interest in helping out on the dev side? I saw someone mention in the thread they didn't have "any mrouted guy", or something. It'll take me a while to get back into the rhythm of OpenBSD development and have working testbed, so any help at all would be great. Anyhow, I've put it on the whiteboard in my office, so I'll try to have a crack at it already this weekend, but I make no promises about timelines or such :-D

[TheRealDev0]

The only mention of development was from Theo where he indicates that the OpenBSD team does not have an active developer for mrouted. Though I won't be much help in development department, I would be happy to assist with testing in a production environment in an attempt to take some of the burden off of you.

I completely understand that this release will take time, I just appreciate your willingness to take it on! After all, beggars can't be choosers.

[troglobit]

OK, that's fine 👍

Thank you, very appreciated! I'll read up a bit on install, set up, and best practices in the topics someday mentioned. Hope I don't miss anything too obvious.

I'll keep tot posted here. If you hear of anything in the mailing lists that may be of interest, I'm keen to learn more.

[troglobit]

Update, have a dedicated laptop set up with OpenBSD and started reading up on privsep requirements. Unfortunately I greatly underestimated the amount of work this will entail.

[TheRealDev0]

Thank you very much for the update and the effort. I’m sure this will be an uphill battle but if the juice isn’t worth the squeeze, I completely understand!

[troglobit]

I maintain quite a few multicast routing daemons, four of them share the same ancestry as mrouted (forked from it). So it is definitely worth the effort, since I'll be able to reuse it, but it'll take a good chunk of (calendar) time. Sorry!

I think I'll start looking at pledge() and unveil() in the meantime, as separate issues.

[TheRealDev0]

Again, thank you for the effort! I can definitely be patient.