On Thu, Nov 26, 2015 at 01:30:51PM +0100, Marko Cupa?? wrote:
| Hi,
|
| I can't seem to find an explanation what is the purpose of random.seed
| from sysadmin's point of view. Any good soul out there to point me in
| the right direction?
Carry entropy from the previous run to the next. This data is read
*before* the kernel is booted, so the kernel can use better entropy
for some of its inner workings.
For a hint why you want proper entropy at the earliest start of the
system, look at this recent story:
https://www.raspberrypi.org/forums/viewtopic.php?f=66&t=126892
| The reason why I am asking is the fact that I am preparing pcengines
| apu box which needs to be read-only because of reduced sdcard wear but
| also because it is going to be placed in remote environment with
| frequent power outages (daily manual fscks expected if / is rw).
|
| I am achieving this by putting ro record in fstab for (the only) /
| partition and moving /dev, /var and /tmp to mfs and tmpfs mounts.
|
| I am concerned about shutdown message about inability to dd random.seed
| because of read-only file system. What would be the implications of not
| writing it on shutdown?
You'd have the same entropy data as the previous run which may make
certain attacks more feasible.
| Also does the following modification to rc look reasonable (not a
| patch file, I've just put "+" sign to make change more visible)?
|
| random_seed()
| {
| + # make / read-write in order to make next lines possible
| + /sbin/mount -uw /
| # push the old seed into the kernel
| dd if=/var/db/host.random of=/dev/random bs=65536 count=1
| status=none chmod 600 /var/db/host.random
| # ... and create a future seed
| dd if=/dev/random of=/var/db/host.random bs=65536 count=1
| status=none # and create a seed file for the boot-loader
| dd if=/dev/random of=/etc/random.seed bs=512 count=1 status=none
| chmod 600 /etc/random.seed
| + # make / read-only again
| + /sbin/mount -ur /
| }
That's an option, but you'd need to carry that along yourself. You're
already in unsupported territory (with a ro /) but for your own sanity
I'd recommend trying to keep such changes to a minimum: this will be
overwritten when you upgrade and it becomes a maintenance burden.
I'd recommend sticking something in rc.local or creating an @reboot
cronjob that updates the /etc/random.seed. May not be ideal (the
entropy may not be very strong - I don't know if there is much
difference between just after boot or just before shutdown in this
regard), but at least it's easier to carry from release to release.
Paul 'WEiRD' de Weerd
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
