Re: [PATCH RFC] Disable save-entropy in jails

From: John-Mark Gurney <jmg_at_funkthat.com>
Date: Tue, 24 Dec 2013 15:37:48 -0800
Paul Hoffman wrote this message on Tue, Dec 24, 2013 at 15:26 -0800:
> On Dec 24, 2013, at 2:53 PM, Xin Li <delphij_at_delphij.net> wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> > 
> > On 12/24/13 14:36, Paul Hoffman wrote:
> >> On Dec 24, 2013, at 12:44 PM, Xin Li <delphij_at_delphij.net> wrote:
> >> 
> >>> I think we shouldn't save entropy inside jails, as the data is
> >>> not going to be used by rc script (pjd_at_126744).  If there is no 
> >>> objections, I will commit this changeset on January 1, 2014.
> >> 
> >> Even if it is not used by an rc script, it might be used by some 
> >> userland program (running as root, of course) that knows about the 
> >> directory and wants some fresh entropy for its own use.
> > 
> > Why a userland application would want to use these?  Would you mind
> > elaborating what kind of use that would be?
> 
> I don't have a specific application in mind, and certainly not one for a jail. However, I'm not sure what the value in removing a feature for a jail if we don't know if anyone is using that feature. Thus, my question.

Technically we couldn't fix any odd behavior in the system if we used
this as a test...  Oh, I don't know if anyone is depending upon this
non-standard behavior of <insert utility>, guess we can't fix it...

If someone depends upon this behavior, they probably already knew enough
about the system to figure out what went wrong in the first place...

> > My understanding is that the saved entropy is used for bootstraping
> > the system only: any applications that wants good random numbers
> > should just use /dev/random because relying on something saved on disk
> > is the worst way for someone who wants more entropy.
> 
> Quite true. Note, however, that we don't delete the saved entropy after booting and add it just before shutdown: we leave it there for some reason. I'm not sure why a jail is so different of an environment that it should be treated differently than a normal (non-jail) environment. Maybe there is a reason, but I'm not seeing it.

There is a reason to keep the file around.  If you don't shutdown your
system cleanly, at least you have entropy from the last boot, instead
of a minimal amount...

> >> Is there a problem with saving the directory in jails? It
> >> certainly isn't taking up much space.
> > 
> > No, it's not about space.  What I am concerned is that it may have
> > wasted entropy: each time (every */11 minute) the system would get
> > 2048 bytes out from /dev/random per jail.  This deterministic behavior
> > may trigger reseeds earlier than wanted.
> 
> I did not understand this. What changes in the system does removing /var/db/entropy cause? (If this is answered in a longer article, a pointer to it would be useful to me (and maybe others).)

Basicly we don't drain the entropy pool as quickly, leaving better
entropy in the system, and preventing an attacker from not having to
do as much work controlling external inputs to the system to possibly
attack the pool...

My vote to remove it.

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."
Received on Tue Dec 24 2013 - 22:38:00 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:45 UTC