GNU bug report logs - #29773
urandom-seed-service should run earlier in the boot process

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Tue, 19 Dec 2017 19:15:01 UTC

Severity: normal

Tags: security

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

Full log

Message #11 received at 29773 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: 29773 <at> debbugs.gnu.org
Subject: Re: bug#29773: urandom-seed-service should run earlier in the boot
 process
Date: Wed, 20 Dec 2017 11:19:36 +0100

[Message part 1 (text/plain, inline)]
Hello,

Leo Famulari <leo <at> famulari.name> skribis:

> In some cases, the applications require some random data before any
> services are started, during activation. For example, our OpenSSH
> service generates its host keys during activation. And even if it
> generated host keys during the start of the OpenSSH service, that
> service does not depend on urandom-seed-service. [0]
>
> In systemd, there is an abstract sysinit "target" that basically serves
> as a checkpoint. All the lower-level system initialization is required
> before the sysinit.target is met, and the rest of the services depend on
> sysinit. The random seeding is part of sysinit. I've reproduced a graph
> of this in [1].

There’s a ‘user-processes’ service that serves a similar purpose.

With the attached patches ‘urandom-seed’ becomes a dependency of
‘user-processes’, meaning that daemons & co. start after
‘urandom-seed’.

WDYT?

> In practice, I'm not sure if it matters. I'd appreciate if GuixSD users
> could check /var/log/messages for warnings like this one and report
> them:
>
> random: application: uninitialized urandom read (16 bytes read) 

I don’t have any of these.  I guess this is most likely to happen when
running ‘ssh-keygen’ on startup, which isn’t the case on my machine.

Ludo’.


[0002-services-urandom-seed-Become-a-dependency-of-user-pr.patch (text/x-patch, attachment)]
[0001-services-user-processes-service-type-can-now-be-exte.patch (text/x-patch, attachment)]
This bug report was last modified 7 years and 213 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.