Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1992513imm; Tue, 22 May 2018 12:48:14 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpBwjppeX6dEYTa3H1Yvwhlfmbevgdi2CyKUh3Lr4Ow4Zzgb/j1a8g0Xju4hCU5erAkHsvr X-Received: by 2002:a65:6151:: with SMTP id o17-v6mr20567495pgv.120.1527018494841; Tue, 22 May 2018 12:48:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527018494; cv=none; d=google.com; s=arc-20160816; b=JSv27QrYbOOTzwK8AL63EgyYbipshsG+egDsGlVtYxcxXDbm3oereNeDlmtVHyYP9I SaV8MPK/5pbkA/XBJE4MVExbTvwKeCE/FDaDf8CKJHiy5m16pLvOZaERtftVH3AKoBii wBmk6wx7O6QWnv/QfRTa0L5s+1rm1UPnXZqnfOCsAStlPMD4/XwdSmlZAmLvG4AgDZ1Q h9RnYhDf91yOuCRndiWH/XbFVOc9ndtOSHPU2kr5S6f80wXXTK1r/qVPm2h9s0x5wG+g hTer5/4ltOO3bcVU6C3XW3P8GE9WO7pTVpXyyrT0Kn82ZxaceApnSCvS1ycLEfNRhCPy rP9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=2Gqpqbr8tZFpUbyfIy5OcXSK1GafjcmLB4tRy95CsYQ=; b=H8jEfiw9MVDe0iv6W3nUmJxc3SJiyyFprNKaQW0Y4akD0tV9C8wr1HQCvYL82xSyJ9 zGCcS7mhsdD6+C6mWs4BhNNMcvsCdPTj8SBSx5Vwxp+TlS8Yp0R+4NZPRJttHIbwC+oc j72iLsssvVupEa66oDt/bLjF7RFEjxxK0LnMkEfWO6lZzKkofni2oh1cWbWPKKOWGGA+ l/rqlofUIB6OwaST+k1LzaALfbMWW9czrQJxHsuxvqThxOeVERyWzotm8Kd370nsfyM4 S/B9+xc5wJy94pLNQvz7AQ8lNeeDdKiuxycesbf84TJR7s6EQPiGkMUAoqs4saAZO1pr PH2g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q137-v6si17634798pfc.68.2018.05.22.12.47.26; Tue, 22 May 2018 12:48:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752654AbeEVTrJ (ORCPT + 99 others); Tue, 22 May 2018 15:47:09 -0400 Received: from mail.stusta.mhn.de ([141.84.69.5]:37611 "EHLO mail.stusta.mhn.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752016AbeEVTrH (ORCPT ); Tue, 22 May 2018 15:47:07 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) by mail.stusta.mhn.de (Postfix) with ESMTPSA id 40r5kw50NgzBK; Tue, 22 May 2018 21:47:04 +0200 (CEST) Date: Tue, 22 May 2018 22:47:02 +0300 From: Adrian Bunk To: Ben Hutchings Cc: Debian release team , Debian kernel maintainers , krb5@packages.debian.org, libbsd@packages.debian.org, systemd@packages.debian.org, Michael Kerrisk , Theodore Ts'o , linux-kernel@vger.kernel.org Subject: Re: Fixing Linux getrandom() in stable Message-ID: <20180522194702.GA2213@localhost> References: <75577b3d2efd01aaf563f1a1400a2c655556b258.camel@decadent.org.uk> <20180513204828.GI10643@localhost> <71fc1f9e921f2a755e79563903ddf676de128478.camel@decadent.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <71fc1f9e921f2a755e79563903ddf676de128478.camel@decadent.org.uk> User-Agent: Mutt/1.9.3 (2018-01-21) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 14, 2018 at 03:11:30AM +0100, Ben Hutchings wrote: > On Sun, 2018-05-13 at 23:48 +0300, Adrian Bunk wrote: >... > > Due to the gdm bugs mentioned above we know that there are real-life > > situations where gdm currently uses "random" data that might be > > predictable. > > > > grep tells me: > > daemon/gdm-x-session.c: auth_entry.data = gdm_generate_random_bytes (auth_entry.data_length, &error); > > daemon/gdm-display-access-file.c: *cookie = gdm_generate_random_bytes (GDM_DISPLAY_ACCESS_COOKIE_SIZE, > > > > Repeat the same for every package that uses /dev/urandom. > > This is certain undesirable, but it's exploitable only by local users. > (If you let the X server listen to the network, all authentication > cookies are sent in the clear so you've already lost. If you use ssh X > forwarding, it generates a new authentication cookie for use with the X > proxy on the remote machine.) It is possible that this specific case is not a problem. There was a certain "never use /dev/random, /dev/urandom is always good enough" push that started several years before getrandom() became available, and I'd bet someone will find exploitable cases due to that somewhere. The documented behaviour is that it is safe to use /dev/urandom except during "early boot", and this is not always true in practice. >... > > The proper way forward might be to deprecate /dev/urandom and add a > > third option GRND_UNSAFE_RANDOM to getrandom() that is documented to > > never block but might return predictable data in some cases. > > This doesn't solve anything for us. (It does help with the original > problem of device nodes possibly being absent from a minimal container > or chroot.) >... I am less worried about device nodes possibly being absent, and more worried about 3 different cases splintered over 2 completely different APIs. Ignoring any security implications, "workaround by switching from getrandom() to /dev/urandom" sounds wrong since you shouldn't be forced to a different API for that - getrandom() is what people should use, therefore it should offer all 3 options. > Ben. >... cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed