reopen 332970 tags 332970 - security retitle 332970 Permissions of /dev/random and /dev/urandom should match severity 332970 minor clone 332970 -1 reassign -1 makedev thanks
Marco d'Itri wrote: > On Oct 09, Josh Triplett <[EMAIL PROTECTED]> wrote: >>The write operations of random and urandom are the same. In both cases, >>they allow adding data to the entropy pool. The permissions of both >>devices should be 0644. Security tag added since this could >>theoretically allow any user to control the generation of random numbers >>for all users. > > I am using the same permissions of /sbin/MAKEDEV and of the SuSE, Red > Hat and Gentoo packages. If you still believe that they should be > changed please provide a rationale from authoritative sources (like the > kernel driver maintainers). Ah; I checked for similar bug reports on udev, but not on makedev. Checking makedev bug reports reveals bug 81748, containing a full rationale from Ted T'so on why a world-writable random device is safe; the correct permissions on the random devices are indeed 0666. Since /dev/random and /dev/urandom have exactly the same write function and write behavior (both add to the input_pool entropy pool), their write permissions should match. I've removed the security tag, and made this bug a minor bug asking for their permissions to match; as you said, udev and /sbin/MAKEDEV should be consistent, so I'm also cloning this bug against makedev. - Josh Triplett
signature.asc
Description: OpenPGP digital signature