1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On Thursday 18 September 2003 01:36 am, Martin Bene wrote: |
5 |
- --SNIP-- |
6 |
|
7 |
> Currently I'm trying to understand these log entries: |
8 |
> |
9 |
> Sep 17 22:13:13 firewall kernel: |
10 |
> grsec: From 10.192.14.130: denied access to hidden file /dev/urandom |
11 |
> by |
12 |
> (gradm:27705) UID(0) EUID(0), parent (bash:17833) UID(0) EUID(0) |
13 |
|
14 |
The question to ask yourself is, "Why would this process need to get random |
15 |
numbers from /dev/urandom?" Same for sshd below (though the answer for it is |
16 |
probably a bit more obvious). |
17 |
|
18 |
> Sep 17 22:00:22 firewall kernel: |
19 |
> grsec: From 10.192.14.130: denied open of /dev/urandom for reading by |
20 |
> |
21 |
> (sshd:29575) UID(0) EUID(0), parent (sshd:25465) UID(0S |
22 |
> |
23 |
> Which I get when using the default acls from |
24 |
> grsecurity-base-policy-20030614; these specify (excerpt) |
25 |
> |
26 |
> / { |
27 |
> / |
28 |
> /dev |
29 |
> /dev/random r |
30 |
> /dev/urandom r |
31 |
> } |
32 |
> |
33 |
> Which I'd have expected to enable read access for /dev/urandom for all |
34 |
> processess. So where do these come from? |
35 |
|
36 |
I would expect the same from these lines. However, I would NEVER do this. |
37 |
You do not want all processes to have access to your limited pool of high |
38 |
grade random numbers (or any pool of random numbers). |
39 |
|
40 |
A very simple to mount attack vector against a system is to consume all of the |
41 |
entropy available by continuousely taking numbers from /dev/urandom. This |
42 |
attack has the effect of weakening all cryptographically secure |
43 |
communications, possibly to the point of making "random" items in crypto |
44 |
protocols/algorithms guessable. |
45 |
|
46 |
> Oh, well I guess this is going to take some more time :-) |
47 |
|
48 |
I hope this helps. Good luck. |
49 |
- -- |
50 |
Sincerely, |
51 |
Lamont R. Peterson <lrp@××××××××.com> |
52 |
-----BEGIN PGP SIGNATURE----- |
53 |
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) |
54 |
|
55 |
iD8DBQE/absfg5LkF3+ZgzARAutAAJ9SRSIVCfykB4ejawErG9gclWgmeQCfRVR5 |
56 |
oRzva4lC6LJYHHtuTdqibzY= |
57 |
=1s/T |
58 |
-----END PGP SIGNATURE----- |
59 |
|
60 |
|
61 |
-- |
62 |
gentoo-hardened@g.o mailing list |