Re: Fix /etc/rc.d/random umask handling (/entropy permissions)

Sat, 21 Jan 2017 14:02:05 -0800 

[Adding Cc: Dag-Erling Smørgrav who committed r273957 which seems to
have introduced this]
On Sat, Jan 21, 2017 at 01:21:42AM +0000, Lu Tung-Pin wrote:
> A 2014 change broke the umask handling in /etc/rc.d/random,
> leaving /entropy with ug+r permissions. Quick fix attached,
> mirroring random_stop() behavior.

> (Incidentally, /usr/libexec/save-entropy is still fine for
> /var/db/entropy/*, as is /etc/rc.d/random for the new
> /boot/entropy.)

> --- /etc/rc.d/random.old      2017-01-21 11:48:30.975009000 +1100
> +++ /etc/rc.d/random  2017-01-19 18:04:34.224632000 +1100
> @@ -20,12 +20,15 @@
>  
>  save_dev_random()
>  {
> +     oumask=`umask`
> +     umask 077
>       for f ; do
>               if :>>"$f" ; then
>                       debug "saving entropy to $f"
>                       dd if=/dev/random of="$f" bs=4096 count=1 2>/dev/null
>               fi
>       done
> +     umask ${oumask}
>  }
>  
>  feed_dev_random()

Switching the umask here will avoid incorrect permissions on /entropy on
new installations, but will not fix existing systems. A chmod command
may be useful here.

On another note,  if :>>"$f"  is bogus. Since : is a special builtin, a
redirection error causes the shell to abort the script. The conditional
seems to have been added to show error messages when the entropy file
cannot be written without showing dd's statistics. I think this can be
done more easily using dd's status=none parameter.

My revised patch is below:

Index: etc/rc.d/random
===================================================================
--- etc/rc.d/random     (revision 311446)
+++ etc/rc.d/random     (working copy)
@@ -20,12 +20,14 @@
 
 save_dev_random()
 {
+       oumask=`umask`
+       umask 077
        for f ; do
-               if :>>"$f" ; then
-                       debug "saving entropy to $f"
-                       dd if=/dev/random of="$f" bs=4096 count=1 2>/dev/null
-               fi
+               debug "saving entropy to $f"
+               dd if=/dev/random of="$f" bs=4096 count=1 status=none &&
+                       chmod 600 "$f"
        done
+       umask ${oumask}
 }
 
 feed_dev_random()

-- 
Jilles Tjoelker
_______________________________________________
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Reply via email to