Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Privilege separation for OpenBSD #57

Open
TheRealDev0 opened this issue Jan 26, 2023 · 10 comments
Open

Privilege separation for OpenBSD #57

TheRealDev0 opened this issue Jan 26, 2023 · 10 comments
Assignees
Milestone

Comments

@TheRealDev0
Copy link

Hello,

First off, thank you very much for your continued work on mrouted, it's a service that I rely on daily.

My firewall/router is running OpenBSD (7.2) and as you know, the version of mrouted included in the base install (3.8) is quite old. When I asked on the Misc mailing list about including an updated version, Theo advised that the current version did not contain the necessary security features (his reply linked below).

I am running the current version of mrouted to route multicast traffic between two routing domains (via a set of pair(4) interfaces). Version 3.8 of mrouted does not allow me to attach to both pair interfaces, whereas 4.4 does, hence the request.

Thank you for your time and consideration.

https://marc.info/?l=openbsd-misc&m=164582045627328&w=2

@troglobit
Copy link
Owner

Hi, awesome to hear there is an interest to include my restored (3.9-beta) version of mrouted in OpenBSD. To be perfectly honest, it would be an honor.

I have limited time to spend on this, but I'm willing to put in the effort as long as there are clear directions for a "definition of done", so to speak. Chroot, privsep, unveil, and using the OpenBSD arc4random() (even though it's not true random the DVMRP protocol neeeds), are definitely stuff that would not take too long to integrate into the codebase.

Curious, last time I tried porting my multicast daemons to OpenBSD they had removed the multicast stack completely. Have they reverted that, implemented a new, or was it all just one of my many nightmares? Anyway, that "notion" of mine is why I haven't done any tested for years on OpenBSD, otherwise it's my favorite BSD <3 despite my being a devout Linux user.

@troglobit troglobit self-assigned this Jan 26, 2023
@troglobit troglobit changed the title Feature request: Privilege separation for OpenBSD Privilege separation for OpenBSD Jan 26, 2023
@troglobit troglobit added this to the 4.5 milestone Jan 26, 2023
@troglobit
Copy link
Owner

I've created a new milestone, v4.5, and added this issue to it. Please let me know if you, or anyone else, is interested in helping out testing.

@TheRealDev0
Copy link
Author

That's great news, thank you very much! I am excited about this and it would be a pleasure to assist with testing.

Multicast support in the OpenBSD kernel is still supported - PIM support was removed from the kernel with the release of version 6.1: https://www.openbsd.org/plus61.html -> "Removed PIM support from the multicast stack."

@troglobit
Copy link
Owner

Ah, yeah that's probably what I mixed up with the general functionality of the mrouting stack, thanks!

Do you know if there's any interest in helping out on the dev side? I saw someone mention in the thread they didn't have "any mrouted guy", or something. It'll take me a while to get back into the rhythm of OpenBSD development and have working testbed, so any help at all would be great. Anyhow, I've put it on the whiteboard in my office, so I'll try to have a crack at it already this weekend, but I make no promises about timelines or such :-D

@TheRealDev0
Copy link
Author

The only mention of development was from Theo where he indicates that the OpenBSD team does not have an active developer for mrouted. Though I won't be much help in development department, I would be happy to assist with testing in a production environment in an attempt to take some of the burden off of you.

I completely understand that this release will take time, I just appreciate your willingness to take it on! After all, beggars can't be choosers.

@troglobit
Copy link
Owner

OK, that's fine 👍

Thank you, very appreciated! I'll read up a bit on install, set up, and best practices in the topics someday mentioned. Hope I don't miss anything too obvious.

I'll keep tot posted here. If you hear of anything in the mailing lists that may be of interest, I'm keen to learn more.

@troglobit
Copy link
Owner

Update, have a dedicated laptop set up with OpenBSD and started reading up on privsep requirements. Unfortunately I greatly underestimated the amount of work this will entail.

@TheRealDev0
Copy link
Author

Thank you very much for the update and the effort. I’m sure this will be an uphill battle but if the juice isn’t worth the squeeze, I completely understand!

@troglobit
Copy link
Owner

I maintain quite a few multicast routing daemons, four of them share the same ancestry as mrouted (forked from it). So it is definitely worth the effort, since I'll be able to reuse it, but it'll take a good chunk of (calendar) time. Sorry!

I think I'll start looking at pledge() and unveil() in the meantime, as separate issues.

@TheRealDev0
Copy link
Author

Again, thank you for the effort! I can definitely be patient.

@troglobit troglobit modified the milestones: 4.5, 5.0 Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants