Sandy Harris <sandy@storm.ca>:
>
> The source has:
>
> /*
> * random.c -- A strong random number generator
> *
> * Version 1.89, last modified 19-Sep-99
> [snip]
> * Ensuring unpredictability at system startup
> * ============================================
> *
> * ... put the
> * following lines an appropriate script which is run during the boot
> * sequence:
> *
> * echo "Initializing random number generator..."
> * random_seed=/var/run/random-seed
> * # Carry a random seed from start-up to start-up
> * # Load and then save 512 bytes, which is the size of the entropy pool
> * if [ -f $random_seed ]; then
> * cat $random_seed >/dev/urandom
> * fi
> * dd if=/dev/urandom of=$random_seed count=1
> * chmod 600 $random_seed
> *
> * and the following lines in an appropriate script which is run as
> * the system is shutdown:
> *
> * # Carry a random seed from shut-down to start-up
> * # Save 512 bytes, which is the size of the entropy pool
> * echo "Saving random seed..."
> * random_seed=/var/run/random-seed
> * dd if=/dev/urandom of=$random_seed count=1
> * chmod 600 $random_seed
>
> Why create the file with dd and then chmod it? If instead we set umask
> before the dd, the file never has insecure permissions.
>
> Could a non-root user actually expolit this to get the seed? Methinks
> it is impossible at boot time. He cannot run anything soon enough to
> exploit this unless he can put a trojan in some process which the boot
> scripts run. If he can do that, he doesn't need this attack.
>
> At shutdown, I'm less certain. Are all user processes (even nasty ones
> written to disobey rules and trap all signals they can) definitely dead
> by the time this runs? If not, the attacker just needs one that loops
> doing fopen("/var/run/random-seed", "r") until it succeeds.
Actually no - At first boot (when the file might not exist) the file is
created, then protected. On shutdown, the file is updated, but the
file permissions are not changed. On the following boot, the file already
exists and protected; the contents are copied to /dev/urandom then the
file is updated.
The only change I would sugest is:
echo "Initializing random number generator..."
random_seed=/var/run/random-seed
# carry a random seed from start-up to start-up
# Load and then save 512 bytes, which is the size of the entropy pool
if [ -f $random_seed ]; then
cat $random_seed >/dev/urandom
else
touch $random_seed
chmod 600 $random_seed
fi
dd if=/dev/urandom of=$random_seed count=1
This way the unprotected file has a zero length when created. It is then
protected, then the file updated. It is even equivalent if the "chmod" is
moved to just before the "dd" command, but after the "fi".
In both cases the file is updated - why? If there is a crash and a reboot then
the seed will be different than that in the previous boot.
In the shutdown case is simple too:
echo "Saving random seed..."
random_seed=/var/run/random-seed
touch $random_seed
chmod 600 $random_seed
dd if=/dev/urandom of=$random_seed count=1
The touch would only update the access time on the file if the file exists.
If the file doesn't exist, then it creates it with a zero length.
Now the file is protected; then updated.
Even if a non-root user managed to capture the file the contents would be
empty. All other times, the file is protected.
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil
Any opinions expressed are solely my own.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Jun 07 2000 - 21:00:15 EST