[Adding Cc: Dag-Erling Smørgrav who committed r273957 which seems to have introduced this] On Sat, Jan 21, 2017 at 01:21:42AM +0000, Lu Tung-Pin wrote: > A 2014 change broke the umask handling in /etc/rc.d/random, > leaving /entropy with ug+r permissions. Quick fix attached, > mirroring random_stop() behavior. > (Incidentally, /usr/libexec/save-entropy is still fine for > /var/db/entropy/*, as is /etc/rc.d/random for the new > /boot/entropy.) > --- /etc/rc.d/random.old 2017-01-21 11:48:30.975009000 +1100 > +++ /etc/rc.d/random 2017-01-19 18:04:34.224632000 +1100 > _at__at_ -20,12 +20,15 _at__at_ > > save_dev_random() > { > + oumask=`umask` > + umask 077 > for f ; do > if :>>"$f" ; then > debug "saving entropy to $f" > dd if=/dev/random of="$f" bs=4096 count=1 2>/dev/null > fi > done > + umask ${oumask} > } > > feed_dev_random() Switching the umask here will avoid incorrect permissions on /entropy on new installations, but will not fix existing systems. A chmod command may be useful here. On another note, if :>>"$f" is bogus. Since : is a special builtin, a redirection error causes the shell to abort the script. The conditional seems to have been added to show error messages when the entropy file cannot be written without showing dd's statistics. I think this can be done more easily using dd's status=none parameter. My revised patch is below: Index: etc/rc.d/random =================================================================== --- etc/rc.d/random (revision 311446) +++ etc/rc.d/random (working copy) _at__at_ -20,12 +20,14 _at__at_ save_dev_random() { + oumask=`umask` + umask 077 for f ; do - if :>>"$f" ; then - debug "saving entropy to $f" - dd if=/dev/random of="$f" bs=4096 count=1 2>/dev/null - fi + debug "saving entropy to $f" + dd if=/dev/random of="$f" bs=4096 count=1 status=none && + chmod 600 "$f" done + umask ${oumask} } feed_dev_random() -- Jilles TjoelkerReceived on Sat Jan 21 2017 - 21:01:39 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:09 UTC