| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On Thursday 18 September 2003 01:36 am, Martin Bene wrote: |
| 5 |
- --SNIP-- |
| 6 |
|
| 7 |
> Currently I'm trying to understand these log entries: |
| 8 |
> |
| 9 |
> Sep 17 22:13:13 firewall kernel: |
| 10 |
> grsec: From 10.192.14.130: denied access to hidden file /dev/urandom |
| 11 |
> by |
| 12 |
> (gradm:27705) UID(0) EUID(0), parent (bash:17833) UID(0) EUID(0) |
| 13 |
|
| 14 |
The question to ask yourself is, "Why would this process need to get random |
| 15 |
numbers from /dev/urandom?" Same for sshd below (though the answer for it is |
| 16 |
probably a bit more obvious). |
| 17 |
|
| 18 |
> Sep 17 22:00:22 firewall kernel: |
| 19 |
> grsec: From 10.192.14.130: denied open of /dev/urandom for reading by |
| 20 |
> |
| 21 |
> (sshd:29575) UID(0) EUID(0), parent (sshd:25465) UID(0S |
| 22 |
> |
| 23 |
> Which I get when using the default acls from |
| 24 |
> grsecurity-base-policy-20030614; these specify (excerpt) |
| 25 |
> |
| 26 |
> / { |
| 27 |
> / |
| 28 |
> /dev |
| 29 |
> /dev/random r |
| 30 |
> /dev/urandom r |
| 31 |
> } |
| 32 |
> |
| 33 |
> Which I'd have expected to enable read access for /dev/urandom for all |
| 34 |
> processess. So where do these come from? |
| 35 |
|
| 36 |
I would expect the same from these lines. However, I would NEVER do this. |
| 37 |
You do not want all processes to have access to your limited pool of high |
| 38 |
grade random numbers (or any pool of random numbers). |
| 39 |
|
| 40 |
A very simple to mount attack vector against a system is to consume all of the |
| 41 |
entropy available by continuousely taking numbers from /dev/urandom. This |
| 42 |
attack has the effect of weakening all cryptographically secure |
| 43 |
communications, possibly to the point of making "random" items in crypto |
| 44 |
protocols/algorithms guessable. |
| 45 |
|
| 46 |
> Oh, well I guess this is going to take some more time :-) |
| 47 |
|
| 48 |
I hope this helps. Good luck. |
| 49 |
- -- |
| 50 |
Sincerely, |
| 51 |
Lamont R. Peterson <lrp@××××××××.com> |
| 52 |
-----BEGIN PGP SIGNATURE----- |
| 53 |
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) |
| 54 |
|
| 55 |
iD8DBQE/absfg5LkF3+ZgzARAutAAJ9SRSIVCfykB4ejawErG9gclWgmeQCfRVR5 |
| 56 |
oRzva4lC6LJYHHtuTdqibzY= |
| 57 |
=1s/T |
| 58 |
-----END PGP SIGNATURE----- |
| 59 |
|
| 60 |
|
| 61 |
-- |
| 62 |
gentoo-hardened@g.o mailing list |
Archives