Date: Sun, 22 Jan 2017 21:09:57 +0100 From: Jilles Tjoelker <jilles@stack.nl> To: Lu Tung-Pin <lutungpin@openmailbox.org> Cc: freebsd-current@freebsd.org, des@freebsd.org Subject: Re: Fix /etc/rc.d/random umask handling (/entropy permissions) Message-ID: <20170122200957.GB66559@stack.nl> In-Reply-To: <759c32a300bbea18344a7f52fe2f009d@openmailbox.org> References: <14f5a2fdf191c33e4ed1dc882b288e81@openmailbox.org> <20170121220136.GA59654@stack.nl> <759c32a300bbea18344a7f52fe2f009d@openmailbox.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jan 22, 2017 at 01:22:07AM +0000, Lu Tung-Pin wrote: > On 2017-01-21 22:01, Jilles Tjoelker wrote: > > [Adding Cc: Dag-Erling Smørgrav who committed r273957 which seems to > > have introduced this] > > On Sat, Jan 21, 2017 at 01:21:42AM +0000, Lu Tung-Pin wrote: > >> A 2014 change broke the umask handling in /etc/rc.d/random, > >> leaving /entropy with ug+r permissions. Quick fix attached, > Edit: go+r permissions. > > Switching the umask here will avoid incorrect permissions on > > /entropy on new installations, but will not fix existing systems. A > > chmod command may be useful here. > Note that random_start() first removes /entropy via feed_dev_random(). > There's also a removal in random_stop(). Provided that a removal occurs, > the chmod won't be necessary on machines with an existing go+r /entropy. Right, /entropy is deleted after being read so the chmod is not needed. > I'm wondering, though: Would it be better to replace all the umask > fiddling with simple chmods? Every other rc.d script uses chmod if it > needs to set tighter permissions. When umask is used (dmesg, mountd, > syslogd), it's with a relaxed 022 setting. The umask ensures the file is created with the correct permissions so there is no race window where an unprivileged process can open the file. A permissions change has no existing opens. -- Jilles Tjoelker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170122200957.GB66559>