Bug#988384: this bug should be folded into a previous one
This is a near-duplicate of bug 661485. I have already submitted it as a reply there. Assuming that is OK with everybody, this incarnation (bug 988384) can be closed.
Bug#661485: smartmontools: smartd-runner fails to send email to more than one recipient
Here is a replacement for bug 988384. This is a better place for it. *** Expected, documented, and desired behavior: In /etc/smartd.conf it is permitted to specify multiple email recipients. Here is the relevant snippet: ### DEFAULT -d removable -n standby \ -a -M test \ -s S/../.././01 \ -m root,blakeney,reid,delavega,wayne \ -M exec /usr/share/smartmontools/smartd-runner ### The last line is relevant, and the next-to-last line is super-relevant, insofar as it contains a comma-separated list of recipients. The code in smartd itself handles this just fine, and always has. *** Observed bad behavior: I observe that the smartd-runner script throws away all recipients after the first. *** Remark: The root problem is that smartd-runner assumes it will be called with exactly three arguments. It can be expected that this will cause multiple bugs, not just the one reported here. *** Patch to fix the problem A patch file is attached. Compared to others that have been suggested, this patch is superior in a couple of ways: *) It accepts an /arbitary/ number of arguments and passes them to the run-parts script(s) appropriately. *) It is agnostic as to the number, format, and semantics of the arguments. *** Platform details ProblemType: Bug ApportVersion: 2.20.11-0ubuntu27.17 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: MATE Date: Mon May 10 07:13:51 2021 Dependencies: debianutils 4.9.1 gcc-10-base 10.2.0-5ubuntu1~20.04 libc6 2.31-0ubuntu9.2 libcap-ng0 0.7.9-2.1build1 libcrypt1 1:4.4.10-10ubuntu4 libgcc-s1 10.2.0-5ubuntu1~20.04 libgcrypt20 1.8.5-5ubuntu1 libgpg-error-l10n 1.37-1 libgpg-error0 1.37-1 libidn2-0 2.2.0-2 liblz4-1 1.9.2-2 liblzma5 5.2.4-1ubuntu1 libpcre2-8-0 10.34-7 libselinux1 3.0-1build2 libstdc++6 10.2.0-5ubuntu1~20.04 libsystemd0 245.4-4ubuntu3.6 libunistring2 0.9.10-2 lsb-base 11.1.0ubuntu2 DistroRelease: Ubuntu 20.04 InstallationDate: Installed on 2010-07-10 (3957 days ago) InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100429) Package: smartmontools 7.1-1build1 [modified: usr/share/smartmontools/smartd-runner] PackageArchitecture: amd64 ProcCpuinfoMinimal: processor : 1 vendor_id : GenuineIntel cpu family : 6 model : 23 model name : Intel(R) Core(TM)2 Duo CPU T9600 @ 2.80GHz stepping : 10 microcode : 0xa07 cpu MHz: 800.000 cache size : 6144 KB physical id: 0 siblings : 2 core id: 1 cpu cores : 2 apicid : 1 initial apicid : 1 fpu: yes fpu_exception : yes cpuid level: 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts nopl cpuid aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm sse4_1 xsave lahf_lm pti tpr_shadow vnmi flexpriority vpid dtherm ida vmx flags : vnmi flexpriority tsc_offset vtpr vapic bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit bogomips : 5585.85 clflush size : 64 cache_alignment: 64 address sizes : 36 bits physical, 48 bits virtual power management: ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: smartmontools Tags: focal Uname: Linux 5.11.0+ x86_64 UpgradeStatus: Upgraded to focal on 2020-08-09 (273 days ago) _MarkForUpload: True modified.conffile..etc.default.apport: [modified] modified.conffile..etc.default.smartmontools: [modified] modified.conffile..etc.smartd.conf: [modified] mtime.conffile..etc.default.apport: 2020-08-09T18:38:49.803212 mtime.conffile..etc.default.smartmontools: 2010-11-12T20:22:37 mtime.conffile..etc.smartd.conf: 2016-05-14T13:58:08.981915 /// sent Mon 10 May 2021 7:35:45 AM MST https://bugs.launchpad.net/ubuntu/+source/smartmontools/+bug/1927980 /// patch is: --- smartd-runner#orig 2021-05-06 03:25:01.324133900 -0700 +++ smartd-runner 2021-05-10 07:00:08.342798348 -0700 @@ -3,8 +3,15 @@ tmp=$(tempfile) cat >$tmp -run-parts --report --lsbsysinit --arg=$tmp --arg="$1" \ ---arg="$2" --arg="$3" -- /etc/smartmontools/run.d +# Decorate every one of our args with "--arg=". +# Use an array, since each arg might contain spaces. +args=("$@") +cmd=() +for ((ii=0; ii<${#args[@]}; ii++)); do + cmd[$ii]="--arg=${args[$ii]}" +done -rm -f $tmp +run-parts --report --lsbsysinit --arg=$tmp \ + "${cmd[@]}" -- /etc/smartmontools/run.d +rm -f $tmp
Bug#988384: smartd-runner bug causes loss of email recipients
Package: smartmontools Version: 7.1-1build1 *** Origin and context: I'm using an ubuntu package. The ubuntu guys asked me to push this report upstream, so here it is. A patch is included. *** Expected, documented, and desired behavior: In /etc/smartd.conf it is permitted to specify multiple email recipients. Here is the relevant snippet: ### DEFAULT -d removable -n standby \ -a -M test \ -s S/../.././01 \ -m root,jsd \ -M exec /usr/share/smartmontools/smartd-runner ### The last line is relevant, and the next-to-last line is super-relevant, insofar as it contains a comma-separated list of recipients. The code in smartd itself handles this just fine, and always has. *** Observed bad behavior: I observe that the smartd-runner script throws away all recipients after the first. *** Remark: The root problem is that smartd-runner assumes it will be called with exactly three arguments. It can be expected that this will cause multiple bugs, not just the one reported here. *** Patch to fix the problem A patch file is attached. *** Platform details ProblemType: Bug ApportVersion: 2.20.11-0ubuntu27.17 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: MATE Date: Mon May 10 07:13:51 2021 Dependencies: debianutils 4.9.1 gcc-10-base 10.2.0-5ubuntu1~20.04 libc6 2.31-0ubuntu9.2 libcap-ng0 0.7.9-2.1build1 libcrypt1 1:4.4.10-10ubuntu4 libgcc-s1 10.2.0-5ubuntu1~20.04 libgcrypt20 1.8.5-5ubuntu1 libgpg-error-l10n 1.37-1 libgpg-error0 1.37-1 libidn2-0 2.2.0-2 liblz4-1 1.9.2-2 liblzma5 5.2.4-1ubuntu1 libpcre2-8-0 10.34-7 libselinux1 3.0-1build2 libstdc++6 10.2.0-5ubuntu1~20.04 libsystemd0 245.4-4ubuntu3.6 libunistring2 0.9.10-2 lsb-base 11.1.0ubuntu2 DistroRelease: Ubuntu 20.04 InstallationDate: Installed on 2010-07-10 (3957 days ago) InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100429) Package: smartmontools 7.1-1build1 [modified: usr/share/smartmontools/smartd-runner] PackageArchitecture: amd64 ProcCpuinfoMinimal: processor : 1 vendor_id : GenuineIntel cpu family : 6 model : 23 model name : Intel(R) Core(TM)2 Duo CPU T9600 @ 2.80GHz stepping : 10 microcode : 0xa07 cpu MHz: 800.000 cache size : 6144 KB physical id: 0 siblings : 2 core id: 1 cpu cores : 2 apicid : 1 initial apicid : 1 fpu: yes fpu_exception : yes cpuid level: 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts nopl cpuid aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm sse4_1 xsave lahf_lm pti tpr_shadow vnmi flexpriority vpid dtherm ida vmx flags : vnmi flexpriority tsc_offset vtpr vapic bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit bogomips : 5585.85 clflush size : 64 cache_alignment: 64 address sizes : 36 bits physical, 48 bits virtual power management: ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: smartmontools Tags: focal Uname: Linux 5.11.0+ x86_64 UpgradeStatus: Upgraded to focal on 2020-08-09 (273 days ago) _MarkForUpload: True modified.conffile..etc.default.apport: [modified] modified.conffile..etc.default.smartmontools: [modified] modified.conffile..etc.smartd.conf: [modified] mtime.conffile..etc.default.apport: 2020-08-09T18:38:49.803212 mtime.conffile..etc.default.smartmontools: 2010-11-12T20:22:37 mtime.conffile..etc.smartd.conf: 2016-05-14T13:58:08.981915 /// sent Mon 10 May 2021 7:35:45 AM MST https://bugs.launchpad.net/ubuntu/+source/smartmontools/+bug/1927980 /// patch is: --- smartd-runner#orig 2021-05-06 03:25:01.324133900 -0700 +++ smartd-runner 2021-05-10 07:00:08.342798348 -0700 @@ -3,8 +3,15 @@ tmp=$(tempfile) cat >$tmp -run-parts --report --lsbsysinit --arg=$tmp --arg="$1" \ ---arg="$2" --arg="$3" -- /etc/smartmontools/run.d +# Decorate every one of our args with "--arg=". +# Use an array, since each arg might contain spaces. +args=("$@") +cmd=() +for ((ii=0; ii<${#args[@]}; ii++)); do + cmd[$ii]="--arg=${args[$ii]}" +done -rm -f $tmp +run-parts --report --lsbsysinit --arg=$tmp \ + "${cmd[@]}" -- /etc/smartmontools/run.d +rm -f $tmp
Bug#596483: rebase the patch
This replaces the previous patch. No change in meaning, just rebase the patch in light of changes to prior patches. From 4f8cc6788f804fcd1b99dbda22aadafdc497b43e Mon Sep 17 00:00:00 2001 From: root r...@av8n.com Date: Thu, 16 Sep 2010 14:49:15 -0700 Subject: [PATCH] Do not rm -f $SAVEDFILE because that is a Bad Idea when $SAVEDFILE is a symlink. Simply overwriting the file is easier and better. --- urandom |1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/urandom b/urandom index 26047a4..9614f2a 100755 --- a/urandom +++ b/urandom @@ -57,7 +57,6 @@ case $1 in # an explicit reseed of the yarrow. ) /dev/urandom - rm -f $SAVEDFILE # Write a new seed into $SAVEDFILE because re-using a seed # compromises security. Each time we re-seed, we want the # seed to be as different as possible. -- 1.5.6.5
Bug#596482: refinement : cope with kFreeBSD
The following patch replaces the previous patch. Works the same for Linux, works slightly better for kFreeBSD. From cbd6063ff8f0df65bae3d1dac47fd6830268f864 Mon Sep 17 00:00:00 2001 From: John Denker j...@av8n.com Date: Sat, 11 Sep 2010 10:04:48 -0700 Subject: [PATCH] Include date and time when seeding the RNG. --- urandom | 30 +++--- 1 files changed, 23 insertions(+), 7 deletions(-) diff --git a/urandom b/urandom index 79344cb..26047a4 100755 --- a/urandom +++ b/urandom @@ -1,7 +1,7 @@ #! /bin/sh ### BEGIN INIT INFO # Provides: urandom -# Required-Start:$local_fs +# Required-Start:$local_fs $time # Required-Stop: $local_fs # Default-Start: S # Default-Stop: 0 6 @@ -35,12 +35,28 @@ fi case $1 in start|) [ $VERBOSE = no ] || log_action_begin_msg Initializing random number generator - # Load and then save $POOLBYTES bytes, - # which is the size of the entropy pool - if [ -f $SAVEDFILE ] - then - cat $SAVEDFILE /dev/urandom - fi + # Seed the RNG with date and time. + # This is helpful in the less-than-ideal case where $SAVEDFILE + # is read-only. + # The value of this is greatly reduced if $SAVEDFILE is missing, + # or its contents are shared machine-to-machine or known to + # attackers (since they might well know at what time this + # machine booted up). + ( + date +%s.%N + + # Load and then save $POOLBYTES bytes, + # which is the size of the entropy pool + if [ -f $SAVEDFILE ] + then + cat $SAVEDFILE + fi + # Redirect output of subshell (not individual commands) + # to cope with a misfeature in the FreeBSD (not Linux) + # /dev/random, where every superuser write/close causes + # an explicit reseed of the yarrow. + ) /dev/urandom + rm -f $SAVEDFILE # Write a new seed into $SAVEDFILE because re-using a seed # compromises security. Each time we re-seed, we want the -- 1.5.6.5
Bug#596479: init.d/urandom : shouldn't write to read-only file /proc/sys/kernel/random/poolsize
Package: initscripts Version: 2.86.ds1-61 Severity: normal Tags: patch Remove code that tried to write to the read-only file /proc/sys/kernel/random/poolsize This code was added in 2004 and has never worked. The underlying driver does not support changing poolsize. And if it ever did, the filesize of the random.seed would be a suboptimal way of implementing it. This is #1 in a group of 5 patches for init.d/urandom. -- System Information: Debian Release: 5.0.5 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i586) Kernel: Linux 2.6.26.5 (PREEMPT) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash From dd1a2a7c4fbe58f60b46e739d5a7c78fc2dde03d Mon Sep 17 00:00:00 2001 From: John Denker j...@av8n.com Date: Sat, 11 Sep 2010 09:17:32 -0700 Subject: [PATCH 1/5] Remove code that tried to write to the read-only file /proc/sys/kernel/random/poolsize This code was added in 2004 and has never worked. --- urandom |7 --- 1 files changed, 0 insertions(+), 7 deletions(-) diff --git a/urandom b/urandom index 30b572e..1007147 100755 --- a/urandom +++ b/urandom @@ -35,13 +35,6 @@ case $1 in # which is the size of the entropy pool if [ -f $SAVEDFILE ] then - # Handle locally increased pool size - SAVEDSIZE=$(find $SAVEDFILE -printf %s) - if [ $SAVEDSIZE -gt $POOLSIZE ] - then - [ -w /proc/sys/kernel/random/poolsize ] echo $POOLSIZE /proc/sys/kernel/random/poolsize - POOLSIZE=$SAVEDSIZE - fi cat $SAVEDFILE /dev/urandom fi rm -f $SAVEDFILE -- 1.7.0.4
Bug#596480: init.d/urandom : should calculate POOLBYTES correctly
Package: initscripts Version: 2.86.ds1-61 Severity: normal Tags: patch We should correctly calculate the size of the random.seed to be written. Note that /proc/sys/kernel/random/poolsize reports the number of bits, not bytes, so a conversion factor is needed. This is #2 in a group of 5 patches for init.d/urandom. -- System Information: Debian Release: 5.0.5 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i586) Kernel: Linux 2.6.26.5 (PREEMPT) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash From 45e354973831aa3e50d230f98b25853660a42f39 Mon Sep 17 00:00:00 2001 From: John Denker j...@av8n.com Date: Sat, 11 Sep 2010 09:22:36 -0700 Subject: [PATCH 2/5] Calculate POOLBYTES correctly. Note that /proc/sys/kernel/random/poolsize reports the number of bits, not bytes, so a conversion factor is needed. --- urandom | 13 - 1 files changed, 8 insertions(+), 5 deletions(-) diff --git a/urandom b/urandom index 1007147..5172e7f 100755 --- a/urandom +++ b/urandom @@ -14,8 +14,11 @@ PATH=/sbin:/usr/sbin:/bin:/usr/bin SAVEDFILE=/var/lib/urandom/random-seed -POOLSIZE=512 -[ -f /proc/sys/kernel/random/poolsize ] POOLSIZE=$(cat /proc/sys/kernel/random/poolsize) +if ! POOLBYTES=$(( + ($(cat /proc/sys/kernel/random/poolsize 2/dev/null) + 7) / 8 +)) ; then + POOLBYTES=512 +fi . /lib/init/vars.sh . /lib/lsb/init-functions @@ -31,7 +34,7 @@ do_status () { case $1 in start|) [ $VERBOSE = no ] || log_action_begin_msg Initializing random number generator - # Load and then save $POOLSIZE bytes, + # Load and then save $POOLBYTES bytes, # which is the size of the entropy pool if [ -f $SAVEDFILE ] then @@ -40,7 +43,7 @@ case $1 in rm -f $SAVEDFILE # Hm, why is the saved pool re-created at boot? [pere 2009-09-03] umask 077 - dd if=/dev/urandom of=$SAVEDFILE bs=$POOLSIZE count=1 /dev/null 21 + dd if=/dev/urandom of=$SAVEDFILE bs=$POOLBYTES count=1 /dev/null 21 ES=$? umask 022 [ $VERBOSE = no ] || log_action_end_msg $ES @@ -50,7 +53,7 @@ case $1 in # see documentation in linux/drivers/char/random.c [ $VERBOSE = no ] || log_action_begin_msg Saving random seed umask 077 - dd if=/dev/urandom of=$SAVEDFILE bs=$POOLSIZE count=1 /dev/null 21 + dd if=/dev/urandom of=$SAVEDFILE bs=$POOLBYTES count=1 /dev/null 21 ES=$? [ $VERBOSE = no ] || log_action_end_msg $ES ;; -- 1.7.0.4
Bug#596481: init.d/urandom : provide answer to question in the code
Package: initscripts Version: 2.86.ds1-61 Severity: normal Tags: patch Explain why we /write/ the seed at boot time. Upgrade comments by removing question and inserting answer. Also document assumptions about persistence of $SAVEDFILE This is #3 in a group of 5 patches for init.d/urandom. -- System Information: Debian Release: 5.0.5 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i586) Kernel: Linux 2.6.26.5 (PREEMPT) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash From 8591635867a34300c73ef9ead5fafa8002346788 Mon Sep 17 00:00:00 2001 From: John Denker j...@av8n.com Date: Sat, 11 Sep 2010 09:56:08 -0700 Subject: [PATCH 3/5] Explain why we /write/ the seed at boot time. Upgrade comments by removing question and inserting answer. Also document assumptions about persistence of $SAVEDFILE --- urandom | 21 +++-- 1 files changed, 19 insertions(+), 2 deletions(-) diff --git a/urandom b/urandom index 5172e7f..841534c 100755 --- a/urandom +++ b/urandom @@ -10,10 +10,19 @@ #It is called from the boot, halt and reboot scripts. ### END INIT INFO +## Assumption 1: We assume $SAVEDFILE is a file (or a symlink +## to a file) that resides on a non-volatile medium that persists +## across reboots. +## Case 1a: Ideally, it is readable and writeable. Its is unshared, +## i.e. its contents are unique to this machine. It is protected so +## that its contents are not known to attackers. +## Case 1b: Less than ideally, it is read-only. Its contents are +## unique to this machine and not known to attackers. +SAVEDFILE=/var/lib/urandom/random-seed + [ -c /dev/urandom ] || exit 0 PATH=/sbin:/usr/sbin:/bin:/usr/bin -SAVEDFILE=/var/lib/urandom/random-seed if ! POOLBYTES=$(( ($(cat /proc/sys/kernel/random/poolsize 2/dev/null) + 7) / 8 )) ; then @@ -41,7 +50,13 @@ case $1 in cat $SAVEDFILE /dev/urandom fi rm -f $SAVEDFILE - # Hm, why is the saved pool re-created at boot? [pere 2009-09-03] + # Write a new seed into $SAVEDFILE because re-using a seed + # compromises security. Each time we re-seed, we want the + # seed to be as different as possible. + # Write it now, in case the machine crashes without doing + # an orderly shutdown. + # The write will fail if $SAVEDFILE is read-only, but it + # doesn't hurt to try. umask 077 dd if=/dev/urandom of=$SAVEDFILE bs=$POOLBYTES count=1 /dev/null 21 ES=$? @@ -50,6 +65,8 @@ case $1 in ;; stop) # Carry a random seed from shut-down to start-up; +# Write it on shutdown, in case the one written at startup +# has been lost, snooped, or otherwise compromised. # see documentation in linux/drivers/char/random.c [ $VERBOSE = no ] || log_action_begin_msg Saving random seed umask 077 -- 1.7.0.4
Bug#596482: initscripts: init.d/urandom : Include date and time when seeding the RNG.
Package: initscripts Version: 2.86.ds1-61 Severity: important Tags: patch During initialization, include this: date +%s.%N /dev/random This is important for systems that boot from read-only media and have few if any realtime sources of new entropy. Unattended and/or embedded systems tend to fall into this category. This solution was discussed on the cryptography mailing list, and there was 100% consensus that it would be a good idea. Tangential remark: Back in 2007, Bug #455230 expressed a similar goal, but did not correctly identify the important use-case, and did not offer the correct solution. The solution here meets the goals of that earlier request. *) Using the date+time as part of the seed is important every time a system is /rebooted/ from read-only media; that is, it is important for every boot except the first. We don't want to restore the RNG to a previously-used state. *) This is most effective as part 1 of a two-part solution. Part 2 is to ensure that the read-only random.seed file is unshared and unique on a host-by-host basis. Part 2 is not the subject of this report. We can and should implement Part 1 without waiting for Part 2. The date+time is /different/ on each reboot, and that is all that is needed, provided the random.seed is unshared and unique. This is #4 in a group of 5 patches for init.d/urandom. -- System Information: Debian Release: 5.0.5 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i586) Kernel: Linux 2.6.26.5 (PREEMPT) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash From fb548b0a752ce676d193c71ceff1321b1d894def Mon Sep 17 00:00:00 2001 From: John Denker j...@av8n.com Date: Sat, 11 Sep 2010 10:04:48 -0700 Subject: [PATCH 4/5] Include date and time when seeding the RNG. --- urandom |9 + 1 files changed, 9 insertions(+), 0 deletions(-) diff --git a/urandom b/urandom index 841534c..ac1c06e 100755 --- a/urandom +++ b/urandom @@ -43,6 +43,15 @@ do_status () { case $1 in start|) [ $VERBOSE = no ] || log_action_begin_msg Initializing random number generator +# Seed the RNG with date and time. +# This is helpful in the less-than-ideal case where $SAVEDFILE +# is read-only. +# The value of this is greatly reduced if $SAVEDFILE is missing, +# or its contents are shared machine-to-machine or known to +# attackers (since they might well know at what time this +# machine booted up). +date +%s.%N /dev/random + # Load and then save $POOLBYTES bytes, # which is the size of the entropy pool if [ -f $SAVEDFILE ] -- 1.7.0.4
Bug#596483: init.d/urandom : Do not rm -f $SAVEDFILE
Package: initscripts Version: 2.86.ds1-61 Severity: important Tags: patch Do not rm -f $SAVEDFILE This is important in the case where $SAVEDFILE is a symlink. Simply overwriting the file is easier and better. This is #5 in a group of 5 patches for init.d/urandom. -- System Information: Debian Release: 5.0.5 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i586) Kernel: Linux 2.6.26.5 (PREEMPT) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash From 9f7283cb1bfc4747dc53984fc97cd2838146c194 Mon Sep 17 00:00:00 2001 From: John Denker j...@av8n.com Date: Sat, 11 Sep 2010 11:21:19 -0700 Subject: [PATCH 5/5] Do not rm -f $SAVEDFILE because that is a Bad Idea when $SAVEDFILE is a symlink. Overwriting the file is quite sufficient. --- urandom |1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/urandom b/urandom index ac1c06e..08a9fe8 100755 --- a/urandom +++ b/urandom @@ -58,7 +58,6 @@ case $1 in then cat $SAVEDFILE /dev/urandom fi - rm -f $SAVEDFILE # Write a new seed into $SAVEDFILE because re-using a seed # compromises security. Each time we re-seed, we want the # seed to be as different as possible. -- 1.7.0.4
Bug#596479: cleaner patch
The attached patch should apply cleanly to the Debian urandom. My apologies for attaching the wrong patch previously. I picked up the Ubuntu patch instead of the Debian patch. From 65227bb7a4a335f7ef1332b2b19aada059502238 Mon Sep 17 00:00:00 2001 From: John Denker j...@av8n.com Date: Sat, 11 Sep 2010 09:17:32 -0700 Subject: [PATCH] Remove code that tried to write to the read-only file /proc/sys/kernel/random/poolsize This code was added in 2004 and has never worked. --- urandom |7 --- 1 files changed, 0 insertions(+), 7 deletions(-) diff --git a/urandom b/urandom index 1662859..f5b4bcb 100755 --- a/urandom +++ b/urandom @@ -27,13 +27,6 @@ case $1 in # which is the size of the entropy pool if [ -f $SAVEDFILE ] then - # Handle locally increased pool size - SAVEDSIZE=$(find $SAVEDFILE -printf %s) - if [ $SAVEDSIZE -gt $POOLSIZE ] - then - [ -w /proc/sys/kernel/random/poolsize ] echo $POOLSIZE /proc/sys/kernel/random/poolsize - POOLSIZE=$SAVEDSIZE - fi cat $SAVEDFILE /dev/urandom fi rm -f $SAVEDFILE -- 1.5.6.5
Bug#596480: cleaner patch
The attached patch should apply cleanly to the Debian urandom. My apologies for attaching the wrong patch previously. I picked up the Ubuntu patch instead of the Debian patch. From 7cafdbe365e0ce93014fd88c0f465777d4610a2f Mon Sep 17 00:00:00 2001 From: root r...@localhost.localdomain Date: Sat, 11 Sep 2010 15:23:20 -0700 Subject: [PATCH] Calculate POOLBYTES correctly. Note that /proc/sys/kernel/random/poolsize reports the number of bits, not bytes, so a conversion is necessary. --- urandom | 13 - 1 files changed, 8 insertions(+), 5 deletions(-) diff --git a/urandom b/urandom index f5b4bcb..ffca615 100755 --- a/urandom +++ b/urandom @@ -14,8 +14,11 @@ PATH=/sbin:/usr/sbin:/bin:/usr/bin SAVEDFILE=/var/lib/urandom/random-seed -POOLSIZE=512 -[ -f /proc/sys/kernel/random/poolsize ] POOLSIZE=$(cat /proc/sys/kernel/random/poolsize) +if ! POOLBYTES=$(( + ($(cat /proc/sys/kernel/random/poolsize 2/dev/null) + 7) / 8 +)) ; then + POOLBYTES=512 +fi . /lib/init/vars.sh . /lib/lsb/init-functions @@ -23,7 +26,7 @@ POOLSIZE=512 case $1 in start|) [ $VERBOSE = no ] || log_action_begin_msg Initializing random number generator - # Load and then save $POOLSIZE bytes, + # Load and then save $POOLBYTES bytes, # which is the size of the entropy pool if [ -f $SAVEDFILE ] then @@ -31,7 +34,7 @@ case $1 in fi rm -f $SAVEDFILE umask 077 - dd if=/dev/urandom of=$SAVEDFILE bs=$POOLSIZE count=1 /dev/null 21 + dd if=/dev/urandom of=$SAVEDFILE bs=$POOLBYTES count=1 /dev/null 21 ES=$? umask 022 [ $VERBOSE = no ] || log_action_end_msg $ES @@ -41,7 +44,7 @@ case $1 in # see documentation in linux/drivers/char/random.c [ $VERBOSE = no ] || log_action_begin_msg Saving random seed umask 077 - dd if=/dev/urandom of=$SAVEDFILE bs=$POOLSIZE count=1 /dev/null 21 + dd if=/dev/urandom of=$SAVEDFILE bs=$POOLBYTES count=1 /dev/null 21 ES=$? [ $VERBOSE = no ] || log_action_end_msg $ES ;; -- 1.5.6.5
Bug#596481: cleaner patch
The attached patch should apply cleanly to the Debian urandom. My apologies for attaching the wrong patch previously. I picked up the Ubuntu patch instead of the Debian patch. From ef7dda4ef592758a845ad28d0795743ac9677371 Mon Sep 17 00:00:00 2001 From: root r...@localhost.localdomain Date: Sat, 11 Sep 2010 15:27:05 -0700 Subject: [PATCH] Explain why we /write/ the seed at boot time. Also document assumptions about random.seed. --- urandom | 20 +++- 1 files changed, 19 insertions(+), 1 deletions(-) diff --git a/urandom b/urandom index ffca615..79344cb 100755 --- a/urandom +++ b/urandom @@ -10,10 +10,19 @@ #It is called from the boot, halt and reboot scripts. ### END INIT INFO +## Assumption 1: We assume $SAVEDFILE is a file (or a symlink +## to a file) that resides on a non-volatile medium that persists +## across reboots. +## Case 1a: Ideally, it is readable and writeable. Its is unshared, +## i.e. its contents are unique to this machine. It is protected so +## that its contents are not known to attackers. +## Case 1b: Less than ideally, it is read-only. Its contents are +## unique to this machine and not known to attackers. +SAVEDFILE=/var/lib/urandom/random-seed + [ -c /dev/urandom ] || exit 0 PATH=/sbin:/usr/sbin:/bin:/usr/bin -SAVEDFILE=/var/lib/urandom/random-seed if ! POOLBYTES=$(( ($(cat /proc/sys/kernel/random/poolsize 2/dev/null) + 7) / 8 )) ; then @@ -33,6 +42,13 @@ case $1 in cat $SAVEDFILE /dev/urandom fi rm -f $SAVEDFILE + # Write a new seed into $SAVEDFILE because re-using a seed + # compromises security. Each time we re-seed, we want the + # seed to be as different as possible. + # Write it now, in case the machine crashes without doing + # an orderly shutdown. + # The write will fail if $SAVEDFILE is read-only, but it + # doesn't hurt to try. umask 077 dd if=/dev/urandom of=$SAVEDFILE bs=$POOLBYTES count=1 /dev/null 21 ES=$? @@ -41,6 +57,8 @@ case $1 in ;; stop) # Carry a random seed from shut-down to start-up; +# Write it on shutdown, in case the one written at startup +# has been lost, snooped, or otherwise compromised. # see documentation in linux/drivers/char/random.c [ $VERBOSE = no ] || log_action_begin_msg Saving random seed umask 077 -- 1.5.6.5
Bug#596482: cleaner patch
The attached patch should apply cleanly to the Debian urandom. My apologies for attaching the wrong patch previously. I picked up the Ubuntu patch instead of the Debian patch. From c45b19d323d5e30473d254f1d0f87f33cb86ca3b Mon Sep 17 00:00:00 2001 From: John Denker j...@av8n.com Date: Sat, 11 Sep 2010 10:04:48 -0700 Subject: [PATCH] Include date and time when seeding the RNG. --- urandom |9 + 1 files changed, 9 insertions(+), 0 deletions(-) diff --git a/urandom b/urandom index 79344cb..5e6121c 100755 --- a/urandom +++ b/urandom @@ -35,6 +35,15 @@ fi case $1 in start|) [ $VERBOSE = no ] || log_action_begin_msg Initializing random number generator +# Seed the RNG with date and time. +# This is helpful in the less-than-ideal case where $SAVEDFILE +# is read-only. +# The value of this is greatly reduced if $SAVEDFILE is missing, +# or its contents are shared machine-to-machine or known to +# attackers (since they might well know at what time this +# machine booted up). +date +%s.%N /dev/random + # Load and then save $POOLBYTES bytes, # which is the size of the entropy pool if [ -f $SAVEDFILE ] -- 1.5.6.5
Bug#596483: cleaner patchh
The attached patch should apply cleanly to the Debian urandom. My apologies for attaching the wrong patch previously. I picked up the Ubuntu patch instead of the Debian patch. From 8d1f17feef351aa397d17bd4515f2d304be73393 Mon Sep 17 00:00:00 2001 From: John Denker j...@av8n.com Date: Sat, 11 Sep 2010 11:21:19 -0700 Subject: [PATCH] Do not rm -f $SAVEDFILE because that is a Bad Idea when $SAVEDFILE is a symlink. Overwriting the file is quite sufficient. --- urandom |1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/urandom b/urandom index 5e6121c..3046ac5 100755 --- a/urandom +++ b/urandom @@ -50,7 +50,6 @@ case $1 in then cat $SAVEDFILE /dev/urandom fi - rm -f $SAVEDFILE # Write a new seed into $SAVEDFILE because re-using a seed # compromises security. Each time we re-seed, we want the # seed to be as different as possible. -- 1.5.6.5
Bug#300119: libc6: LD_DEBUG=versions can lead to segmentation fault
On 03/21/05 02:06, GOTO Masanori wrote: In this bug report, we don't know which vi is used. Your vi links a lot of libraries. I don't know what the problem is, but I guess (1) you use non-debian vi which is not linked correctly (2) you use invalid dynamic linker setting: for example, LD_PRELOAD or /etc/ld.preload and so on. No, no, no. First of all, my system is AFAIK plain old sarge. The pnglib is, I believe, the first and only thing I have installed from source, as opposed to just installing debian pkgs using dselect. Secondly, as I explained in my original note, I mentioned vi only as an example of an ordinary innocuous program. The list of programs that exhibit the same segfault (when LD_DEBUG=versions is set) include vi (which is a just symlink to vim 6.3.58) emacs 21.3.1 Mozilla Firefox 1.0.1 ImageMagick 6.0.6 (including identify, display, etc. etc.) ESP Ghostscript 7.07.1 xine v0.99.3 ... do I really need to go on ... So unless you are going to claim that I _unknowingly_ installed non-Debian versions of all those programs, you will have to consider that there is a systematic problem. One thing they all have in common is that the last two lines before the segfault are always nnn: checking for version `GLIBC_2.0' in file /lib/tls/libm.so.6 required by file nnn: checking for version `PNG12_0' in file /usr/lib/libpng12.so.0 required by file For that matter, the following command prints a segfault message (apparently coming from a subprocess it forked): LD_DEBUG=versions ldd /usr/lib/libqt-mt.so.3.3.3 It is a typical bash message, i.e. /usr/bin/ldd: line 1: nnn Segmentation fault I think this bug report is not essentially related with the current glibc, so I close it. I'm shocked. I cannot imagine why you would think that. If you want to say the bug is not reproducible on your system, PLEASE SAY THAT. Then we can discuss why not. Don't go chasing issues (like vi) that I told you were tangential. Did you even *try* compiling libpng from the source tarball at libpng.org, to see if you could reproduce the symptoms? Would it help for me to make available my already-compiled copy, so you can ldd it yourself? John, if you plan to use versioned symbols, you possibly want to read Ulrich Drepper's nice document (try to use google). I didn't plan on using versioned symbols. I didn't know I had a choice in the matter. I just installed my system using what I thought were obvious, innocuous choices using dselect, and what I got is whatever was in the debian packages. Also, as I explained in my initial report, it seems to me turning on LD_DEBUG=versions should not cause a segfault _no matter what_ the input is. How can you think even for an instant that this is not essentially related with the current glibc? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#300119: libc6: LD_DEBUG=versions can lead to segmentation fault
On 03/20/05 02:18, GOTO Masanori wrote: 2) As a tangential issue: Many programs (even ones like vi, for which it doesn't make much sense) now issue the warning /usr/lib/libpng12.so.0: no version information available (required by ...) which is pretty weird; why does vi depend on libpng anyway? I note in passing that the libpng makefile tries to set some version information with -soname, and I don't understand why that isn't good enough but that is *not* the bug I wish to emphasize at the moment. But your build may be broken. That's why I mentioned it :-) ldd tells you which libraries will be used. Then check what /usr/lib/libqt-mt.so.3 is. The output of the following commands : ldd -v /usr/lib/libpng12.so.0.1.2.8 ldd -d /usr/lib/libpng12.so.0.1.2.8 ldd -r /usr/lib/libpng12.so.0.1.2.8 : ldd -v /usr/lib/libqt-mt.so.3.3.3 ldd -d /usr/lib/libqt-mt.so.3.3.3 ldd -r /usr/lib/libqt-mt.so.3.3.3 : ldd -v /usr/bin/vi ldd -d /usr/bin/vi ldd -r /usr/bin/vi LD_DEBUG=versions ldd -v /usr/bin/vi can be found at http://www.av8n.net/bugs/ldd.txt (It's 825 lines long, so I was hesitant to include it in email ... but I will do that also, upon request.) There is a segfault a few lines from the end, slightly hidden. Let me know if there's anything else that might be of help. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#300119: libc6: LD_DEBUG=versions can lead to segmentation fault
Package: libc6 Version: 2.3.2.ds1-20 Severity: normal 1) I compiled /usr/lib/libpng12.so.0 aka libpng12.so.0.1.2.8 from sources and installed it. Symptoms are the same using the Debian source package or the tarball from libpng.org. 2) As a tangential issue: Many programs (even ones like vi, for which it doesn't make much sense) now issue the warning /usr/lib/libpng12.so.0: no version information available (required by ...) which is pretty weird; why does vi depend on libpng anyway? I note in passing that the libpng makefile tries to set some version information with -soname, and I don't understand why that isn't good enough but that is *not* the bug I wish to emphasize at the moment. 3) In the attempt to debug the tangential issue, I tried using LD_DEBUG=versions. What a disaster. Any program that previously issued a warning now segfaults. For example: LD_DEBUG=versions vi [snip] 12633: checking for version `GLIBC_2.0' in file /lib/libgcc_s.so.1 required by file /usr/lib/libqt-mt.so.3 12633: checking for version `PNG12_0' in file /usr/lib/libpng12.so.0 required by file /usr/lib/libqt-mt.so.3 Segmentation fault Bottom line: I don't know what (if anything) is wrong with libpng12 ... but no matter what, it shouldn't cause ld.so to segfault. Wild memory references often lead to sneaky security problems, not to mention the obvious loss of functionality. And BTW, as a bonus, if somebody can explain what incantations are required to compile things with version information that works, that would be great. Thanks! -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.7 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages libc6 depends on: ii libdb1-compat 2.1.3-7The Berkeley database routines [gl -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]