Bug#941300: finish-install: write random seed to correct location for chosen init system
On Sat, Sep 28, 2019 at 05:20:47PM +0800, Paul Wise wrote:
>Package: finish-install
>Version: 2.56
>Severity: important
>Tags: security
>Control: found -1 2.81
>Control: found -1 2.100
>Control: found -1 2.101
>
>finish-install creates a random seed in the location used by the
>urandom init script from the initscripts package. On systemd based
>systems, systemd-random-seed.service overrides the urandom init script
>but uses a different location for its random seed file. Consequently on
>first boot of systemd based systems there is no random seed file so the
>amount of entropy available is lower.
>
>/var/lib/urandom/random-seed
>/var/lib/systemd/random-seed
>
>I think finish-install needs to fix this with one of these options:
>
> 1. Write the random seed to both locations. This means that when
> switching init systems you get the old random seed.
> 2. Write two different random seeds to the two locations. This means
> that when switching init systems you get the a new random seed that
> has never been used before, but which was generated during the
> install.
> 3. Detect the chosen init system and write the random seed to the
> location preferred by that init system. This means that when
> switching init systems the first boot of the new init systems has no
> random seed.
>
>I think probably the second scenario is the best since then there is
>always a random seed available even when switching init systems and
>that random seed is never reused.
Wouldn't it just be easier to write it one location and replace the
other with a symlink to it?
--
Steve McIntyre, Cambridge, UK. steve@einval.com
< sladen> I actually stayed in a hotel and arrived to find a post-it
note stuck to the mini-bar saying "Paul: This fridge and
fittings are the correct way around and do not need altering"
Reply to: