Re: [PATCH RFC] Disable save-entropy in jails

From: Xin Li <delphij_at_delphij.net>
Date: Tue, 24 Dec 2013 14:53:25 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 12/24/13 14:36, Paul Hoffman wrote:
> On Dec 24, 2013, at 12:44 PM, Xin Li <delphij_at_delphij.net> wrote:
> 
>> I think we shouldn't save entropy inside jails, as the data is
>> not going to be used by rc script (pjd_at_126744).  If there is no 
>> objections, I will commit this changeset on January 1, 2014.
> 
> Even if it is not used by an rc script, it might be used by some 
> userland program (running as root, of course) that knows about the 
> directory and wants some fresh entropy for its own use.

Why a userland application would want to use these?  Would you mind
elaborating what kind of use that would be?

My understanding is that the saved entropy is used for bootstraping
the system only: any applications that wants good random numbers
should just use /dev/random because relying on something saved on disk
is the worst way for someone who wants more entropy.

> Is there a problem with saving the directory in jails? It
> certainly isn't taking up much space.

No, it's not about space.  What I am concerned is that it may have
wasted entropy: each time (every */11 minute) the system would get
2048 bytes out from /dev/random per jail.  This deterministic behavior
may trigger reseeds earlier than wanted.

Cheers,
- -- 
Xin LI <delphij_at_delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJSuhBlAAoJEJW2GBstM+nss7YQAIYcMq6GflgY7T304J+bdoll
TBYA740eQy6iNoyGTSh4VEeKh5GDrwX7GAM5EshrDQMKfagwm0smdYbpWYklUc07
V6sy8uuIvhxM6GOxQqP86tyzMCu9EtiVzfDakKJz1IL8pzVuu6Kbq/CxdA3fC3G4
qQraPMHvpYRsXiOn30B8i0kojMgRAxMOTZRZ4HRByiuZrsVdFYlNxMoh76reMO40
dSq1UPmQMjeDqlEKkAxpR1nN67ebVgFOuXl8O/YjOvNJLnCtcEr6xQcUQso8cbeR
j7WCgUmiqCKcoPcE6Bf43Qp1otdeLVP+qoeogWcAPIPrK6XL2wxsVxj6Y44fbkeW
Ttfw5iXwR7yt7MSZHP4eXdycZuSRswQUzp9TEyAxclMTE+aHFd0B/C4lViTKTfU1
dglg5goplXCAVCFPXek+R9UnFCFSc9GvlSL2K2d5TNvjDiVdNGc9SDyO7u0qNxV5
Eo+X8W2oR05jiZNHitJyalZSWd62+rn5+R5Pwf3A0hv9opimNX2xVTpfVU7y7DoK
dJpPo7S8GvVKK0JgnP9yOvAD2wIjNnLz0T+hmmnygPA+xkrbVZIYdxMxrMQ491Dm
/3dej3hDg5panfU7kxjpVmA+mTQbaFwQJeV0gSJDeswBl8JeAwhycchA+rgpPWCN
qEziEr9sgMQKdc6JyVf9
=b7jA
-----END PGP SIGNATURE-----
Received on Tue Dec 24 2013 - 21:53:26 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:45 UTC