I have not been able to keep the dvmrpd daemon running for longer
than 15 minutes, regardless of the configuration settings. On the
contrary, the mrouted daemon (v3.8 or v4.4) continually runs without
issue.
It would be great to incorporate the latest version of mrouted in base
as opposed to removing the daemon entirely. From my point of view, the
existing version of mrouted lacks the same security features as the
updated version (chroot, etc.), as does dvmrpd but both (extremely old)
applications are allowed to remain in the base installation - why
not just update to the latest version and add the necessary security
functionality in a later release? I fully understand this is easier
said than done but it would sure make at least one heavy mrouted
user happy!
On Monday, February 21st, 2022 at 11:58 AM, Theo de Raadt <deraadt@openbsd.org> wrote:
> Trace the Route trace.the.route@protonmail.com wrote:
>
> > Is it possible to include a newer version of mrouted in the base
> >
> > installation of OpenBSD? The existing version of mrouted (v3.8) is
> >
> > obviously quite old and lacks functionality found in newer versions.
> >
> > For example, the existing version of mrouted is not able to bind to
> >
> > both ends of a pair(4) interface, whereas the latest version (v4.4)
> >
> > has no issue with this.
>
> I haven't heard of anyone using mrouted in a very long time.
>
> This is an imported daemon which has almost no maintainance or security
>
> work. No chroot, no pledge, no unveil -- I see no evidence of any privsep
>
> at all!
>
> I also don't see any serious audit/review in the commit logs.
>
> Unfortunately I suspect new code would be similarily weak. Let me
>
> guess, upstream calls srandom()...
No comments:
Post a Comment