* [Buildroot] [PATCH] system/permissions: /etc/random-seed must be mode 600
@ 2014-11-20 21:08 Gustavo Zacarias
2014-11-20 21:27 ` Jérôme Pouiller
2014-11-25 21:38 ` Peter Korsgaard
0 siblings, 2 replies; 5+ messages in thread
From: Gustavo Zacarias @ 2014-11-20 21:08 UTC (permalink / raw)
To: buildroot
Otherwise it's a big security risk.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
system/device_table.txt | 1 +
1 file changed, 1 insertion(+)
diff --git a/system/device_table.txt b/system/device_table.txt
index e15412d..8e7dbd2 100644
--- a/system/device_table.txt
+++ b/system/device_table.txt
@@ -11,6 +11,7 @@
/etc d 755 0 0 - - - - -
/root d 700 0 0 - - - - -
/var/www d 755 33 33 - - - - -
+/etc/random-seed f 600 0 0 - - - - -
/etc/shadow f 600 0 0 - - - - -
/etc/passwd f 644 0 0 - - - - -
/etc/network/if-up.d d 755 0 0 - - - - -
--
2.0.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] system/permissions: /etc/random-seed must be mode 600
2014-11-20 21:08 [Buildroot] [PATCH] system/permissions: /etc/random-seed must be mode 600 Gustavo Zacarias
@ 2014-11-20 21:27 ` Jérôme Pouiller
2014-11-20 21:29 ` Peter Korsgaard
2014-11-20 21:58 ` Gustavo Zacarias
2014-11-25 21:38 ` Peter Korsgaard
1 sibling, 2 replies; 5+ messages in thread
From: Jérôme Pouiller @ 2014-11-20 21:27 UTC (permalink / raw)
To: buildroot
On Thursday 20 November 2014 18:08:14 Gustavo Zacarias wrote:
> Otherwise it's a big security risk.
>
> Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
> ---
> system/device_table.txt | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/system/device_table.txt b/system/device_table.txt
> index e15412d..8e7dbd2 100644
> --- a/system/device_table.txt
> +++ b/system/device_table.txt
> @@ -11,6 +11,7 @@
> /etc d 755 0 0 - - - - -
> /root d 700 0 0 - - - - -
> /var/www d 755 33 33 - - - - -
> +/etc/random-seed f 600 0 0 - - - - -
Just curiosity, does it make sense to provide a random seed? I mean, it is not
very random, is it?
--
J?r?me Pouiller, Sysmic
Embedded Linux specialist
http://www.sysmic.fr
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] system/permissions: /etc/random-seed must be mode 600
2014-11-20 21:27 ` Jérôme Pouiller
@ 2014-11-20 21:29 ` Peter Korsgaard
2014-11-20 21:58 ` Gustavo Zacarias
1 sibling, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2014-11-20 21:29 UTC (permalink / raw)
To: buildroot
>>>>> "J?r?me" == J?r?me Pouiller <jezz@sysmic.org> writes:
> On Thursday 20 November 2014 18:08:14 Gustavo Zacarias wrote:
>> Otherwise it's a big security risk.
>>
>> Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
>> ---
>> system/device_table.txt | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/system/device_table.txt b/system/device_table.txt
>> index e15412d..8e7dbd2 100644
>> --- a/system/device_table.txt
>> +++ b/system/device_table.txt
>> @@ -11,6 +11,7 @@
>> /etc d 755 0 0 - - - - -
>> /root d 700 0 0 - - - - -
>> /var/www d 755 33 33 - - - - -
>> +/etc/random-seed f 600 0 0 - - - - -
> Just curiosity, does it make sense to provide a random seed? I mean, it is not
> very random, is it?
Indeed. My thoughts exactly. Gustavoz?
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] system/permissions: /etc/random-seed must be mode 600
2014-11-20 21:27 ` Jérôme Pouiller
2014-11-20 21:29 ` Peter Korsgaard
@ 2014-11-20 21:58 ` Gustavo Zacarias
1 sibling, 0 replies; 5+ messages in thread
From: Gustavo Zacarias @ 2014-11-20 21:58 UTC (permalink / raw)
To: buildroot
On 11/20/2014 06:27 PM, J?r?me Pouiller wrote:
> Just curiosity, does it make sense to provide a random seed? I mean, it is not
> very random, is it?
I have another patch that creates random-seed at build-time that i'm
testing.
That's not too good either since it's fixed "per firmware image" so to
speak, but at least it's better than an easily downloadable fixed seed
from many mirrors :)
The problem with mode 744 (currently) is that anyone can read the seed,
which as we know is fixed for now, but they can also read the evolved
seed too _IF_ the box/device shutdowns properly.
I guess it's time to write some best practices documentation, in this
aspect we can't cover for all the varying possibilities i'm afraid.
Ideally a separate partition/eeprom would contain the seed so as to make
it unique to each device and firmware-independant.
And no, using the device MAC address/serial number for this isn't that
good :)
Regards.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] system/permissions: /etc/random-seed must be mode 600
2014-11-20 21:08 [Buildroot] [PATCH] system/permissions: /etc/random-seed must be mode 600 Gustavo Zacarias
2014-11-20 21:27 ` Jérôme Pouiller
@ 2014-11-25 21:38 ` Peter Korsgaard
1 sibling, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2014-11-25 21:38 UTC (permalink / raw)
To: buildroot
>>>>> "Gustavo" == Gustavo Zacarias <gustavo@zacarias.com.ar> writes:
> Otherwise it's a big security risk.
> Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
While I think we should rework the random-seed handling, that will be
post-2014.11 - So committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-11-25 21:38 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-20 21:08 [Buildroot] [PATCH] system/permissions: /etc/random-seed must be mode 600 Gustavo Zacarias
2014-11-20 21:27 ` Jérôme Pouiller
2014-11-20 21:29 ` Peter Korsgaard
2014-11-20 21:58 ` Gustavo Zacarias
2014-11-25 21:38 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox