From owner-freebsd-current@FreeBSD.ORG Tue Dec 24 22:53:26 2013 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 87D048A4; Tue, 24 Dec 2013 22:53:26 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 62C32170F; Tue, 24 Dec 2013 22:53:26 +0000 (UTC) Received: from zeta.ixsystems.com (unknown [69.198.165.132]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id E8BD126B4E; Tue, 24 Dec 2013 14:53:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1387925606; bh=0Vw6lR0AUAvC7oIl+vtMZ2qrS2TzJ4eYNIDP/PBCXs4=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=OO1NBUj+UndVY9VdVmrxYiNIgzIDSN50f7Ci45i7gwgBgo0jR3K7B9flxi/oA2Yw9 2gUeWOq05e1PgB+9uuP0C73vPRrjfSjZpcTMFkT1AaCb3oKtH3xeH6AsoNX0WP3Ynd SUvYeueSDhstRp2b0RLZzPKmEDegxKAWS3I2gBj0= Message-ID: <52BA1065.6000403@delphij.net> Date: Tue, 24 Dec 2013 14:53:25 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Paul Hoffman , d@delphij.net Subject: Re: [PATCH RFC] Disable save-entropy in jails References: <52B9F232.1090002@delphij.net> <278988C7-1749-413D-A5E2-ABE6753B3766@proper.com> In-Reply-To: <278988C7-1749-413D-A5E2-ABE6753B3766@proper.com> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-security@freebsd.org" , FreeBSD Current X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: d@delphij.net List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Dec 2013 22:53:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/24/13 14:36, Paul Hoffman wrote: > On Dec 24, 2013, at 12:44 PM, Xin Li wrote: > >> I think we shouldn't save entropy inside jails, as the data is >> not going to be used by rc script (pjd@126744). If there is no >> objections, I will commit this changeset on January 1, 2014. > > Even if it is not used by an rc script, it might be used by some > userland program (running as root, of course) that knows about the > directory and wants some fresh entropy for its own use. Why a userland application would want to use these? Would you mind elaborating what kind of use that would be? My understanding is that the saved entropy is used for bootstraping the system only: any applications that wants good random numbers should just use /dev/random because relying on something saved on disk is the worst way for someone who wants more entropy. > Is there a problem with saving the directory in jails? It > certainly isn't taking up much space. No, it's not about space. What I am concerned is that it may have wasted entropy: each time (every */11 minute) the system would get 2048 bytes out from /dev/random per jail. This deterministic behavior may trigger reseeds earlier than wanted. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJSuhBlAAoJEJW2GBstM+nss7YQAIYcMq6GflgY7T304J+bdoll TBYA740eQy6iNoyGTSh4VEeKh5GDrwX7GAM5EshrDQMKfagwm0smdYbpWYklUc07 V6sy8uuIvhxM6GOxQqP86tyzMCu9EtiVzfDakKJz1IL8pzVuu6Kbq/CxdA3fC3G4 qQraPMHvpYRsXiOn30B8i0kojMgRAxMOTZRZ4HRByiuZrsVdFYlNxMoh76reMO40 dSq1UPmQMjeDqlEKkAxpR1nN67ebVgFOuXl8O/YjOvNJLnCtcEr6xQcUQso8cbeR j7WCgUmiqCKcoPcE6Bf43Qp1otdeLVP+qoeogWcAPIPrK6XL2wxsVxj6Y44fbkeW Ttfw5iXwR7yt7MSZHP4eXdycZuSRswQUzp9TEyAxclMTE+aHFd0B/C4lViTKTfU1 dglg5goplXCAVCFPXek+R9UnFCFSc9GvlSL2K2d5TNvjDiVdNGc9SDyO7u0qNxV5 Eo+X8W2oR05jiZNHitJyalZSWd62+rn5+R5Pwf3A0hv9opimNX2xVTpfVU7y7DoK dJpPo7S8GvVKK0JgnP9yOvAD2wIjNnLz0T+hmmnygPA+xkrbVZIYdxMxrMQ491Dm /3dej3hDg5panfU7kxjpVmA+mTQbaFwQJeV0gSJDeswBl8JeAwhycchA+rgpPWCN qEziEr9sgMQKdc6JyVf9 =b7jA -----END PGP SIGNATURE-----