Module Name: src
Committed By: riastradh
Date: Wed May 6 18:49:26 UTC 2020
Modified Files:
src/etc/rc.d: random_seed
src/sbin/rndctl: rndctl.8 rndctl.c
Log Message:
Tweak logic to decide whether a medium is safe for an rndseed.
- Teach rndctl to load the seed, but treat it as zero entropy, if the
medium is read-only or if the update fails.
- Teach rndctl to accept `-i' flag instructing it to ignore the
entropy estimate in the seed.
- Teach /etc/rc.d/random_seed to:
(a) assume nonlocal file systems are unsafe, and use -i, but
(b) assume / is safe, even if it is nonlocal.
If the medium is nonwritable, leave it to rndctl to detect that.
(Could use statvfs and check for ST_LOCAL in rndctl, I guess, but I
already implemented it this way.)
Treating nonlocal / as safe is a compromise: it's up to the operator
to secure the network for (e.g.) nfs mounts, but that's true whether
we're talking entropy or not -- if the adversary has access to the
network that you've mounted / from, they can do a lot more damage
anyway; this reduces warning fatigue for diskless systems, e.g. test
racks.
To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 src/etc/rc.d/random_seed
cvs rdiff -u -r1.23 -r1.24 src/sbin/rndctl/rndctl.8
cvs rdiff -u -r1.33 -r1.34 src/sbin/rndctl/rndctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
