From owner-freebsd-security@FreeBSD.ORG  Tue Dec 24 22:36:04 2013
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 7419F450;
 Tue, 24 Dec 2013 22:36:04 +0000 (UTC)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM
 [IPv6:2605:8e00:100:41::81])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4901515FC;
 Tue, 24 Dec 2013 22:36:04 +0000 (UTC)
Received: from [10.20.30.90] (50-0-66-41.dsl.dynamic.sonic.net [50.0.66.41])
 (authenticated bits=0)
 by hoffman.proper.com (8.14.7/8.14.7) with ESMTP id rBOMZuGj057974
 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO);
 Tue, 24 Dec 2013 15:35:57 -0700 (MST)
 (envelope-from phoffman@proper.com)
X-Authentication-Warning: hoffman.proper.com: Host
 50-0-66-41.dsl.dynamic.sonic.net [50.0.66.41] claimed to be [10.20.30.90]
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
Subject: Re: [PATCH RFC] Disable save-entropy in jails
From: Paul Hoffman <phoffman@proper.com>
In-Reply-To: <52B9F232.1090002@delphij.net>
Date: Tue, 24 Dec 2013 14:36:10 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <278988C7-1749-413D-A5E2-ABE6753B3766@proper.com>
References: <52B9F232.1090002@delphij.net>
To: d@delphij.net
X-Mailer: Apple Mail (2.1827)
Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>,
 FreeBSD Current <freebsd-current@freebsd.org>,
 Pawel Jakub Dawidek <pjd@FreeBSD.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Dec 2013 22:36:04 -0000

On Dec 24, 2013, at 12:44 PM, Xin Li <delphij@delphij.net> wrote:

> I think we shouldn't save entropy inside jails, as the data is not =
going
> to be used by rc script (pjd@126744).  If there is no objections, I =
will
> commit this changeset on January 1, 2014.

Even if it is not used by an rc script, it might be used by some =
userland program (running as root, of course) that knows about the =
directory and wants some fresh entropy for its own use.

Is there a problem with saving the directory in jails? It certainly =
isn't taking up much space.

--Paul Hoffman=