[Piuparts-devel] Bug#750099: should piuparts ignore /root/.rnd ?

Holger Levsen holger at layer-acht.org
Sun Jun 1 15:25:07 UTC 2014


package: piuparts

Hi,

technically it's very easy to add /root/.rnd to self.ignored_files in
piuparts.py but it would be the first file in $HOME to ignore, so I'm a bit
reluctant. Further feedback appreciated.

piupartsm at pejacevic:/srv/piuparts.debian.org/master$ rgrep /root/.rnd */fail|grep "not owned" 
sid/fail/stone_2.3.e-2+b1.log:  /root/.rnd       not owned
sid/fail/telnetd-ssl_0.17.24+0.1-24.log:  /root/.rnd     not owned
sid/fail/ejabberd_2.1.11-1.log:  /root/.rnd      not owned
sid/fail/unbound_1.4.22-1.log:  /root/.rnd       not owned
sid/fail/courier-ssl_0.73.1-1.1.log:  /root/.rnd         not owned
sid/fail/dovecot-core_1:2.2.13-1.log:  /root/.rnd        not owned
sid/fail/quassel-core_0.10.0-1.log:  /root/.rnd  not owned
sid/fail/freeradius_2.1.12+dfsg-1.3.log:  /root/.rnd     not owned
sid/fail/nuauth_2.4.3-3.log:  /root/.rnd         not owned
sid/fail/epoptes_0.5.7-1.log:  /root/.rnd        not owned
sid/fail/dkimproxy_1.4.1-3.log:  /root/.rnd      not owned
sid/fail/openvswitch-pki_2.1.0+git20140411-2.log:  /root/.rnd    not owned
sid/fail/xmail_1.27-1.2.log:  /root/.rnd         not owned

<      h01ger> | leaving files in /root/.rnd is clearly wrong, isnt it?
<      h01ger> | after purge i mean
<      h01ger> | piupartsm at pejacevic:/srv/piuparts.debian.org/master$ rgrep /root/.rnd */fail|grep "not owned" |wc -l
<      h01ger> | 13
<      h01ger> | i could also make piuparts ignore /root/.rnd but that feels more wrong
             * | h01ger is happy piuparts is starting to find nit-picking issues as this means the really bad stuff is gone 
< Myon> what's .rnd anyway? 
< Myon> which packages are that?
< olasd> /root/.rnd looks like the PRNG thing openssl leaves around
< Myon> google says that too
<      h01ger> | these packages: http://paste.debian.net/102680/
< Myon> I'd say it's ok to leave that behind, but the real bug is that packages shouldn't write to $HOME at install time
< olasd> looks like things that generate a snakeoil certificate
< Myon> my thought was there should be code like "if (root) {write to /var/cache/rnd}" in openssl 
< olasd> I'm not sure what the point of that file is on a modern linux system anyway
< olasd> but that's another issue
<      h01ger> | Q_: ^ 
< Q_> olasd: That is an important file, even on whatever you think a modern linux system is.
< Q_> And I really see no good other place other than $HOME to write that.
<      h01ger> | then i think piuparts should ignore it
<      h01ger> | Q_: whats wrong with /var/cache/rnd? (or any path in var?) and why keep it and not delete+recreate it? 
<         Q_> | h01ger: In which case should it use that dir?  When uid=0?  euid=0? 
<      h01ger> | Q_: then /var/cache/rnd/root maybe? though i have to admit i dont get why its useful to keep this file around. 
<         Q_> | h01ger: For the same reason you have a /var/lib/urandom/random-seed file.
< Q_> But you really don't want other people to have access to it.  If you suggest /var/cache/rnd/$user, that sounds like an attack  
      waiting to happen. 
<      h01ger> | but that random-seed seems to be application bound, not user bound, or?
< Q_> No, it's user bound.
< Q_> Or you mean /var/lib/urandom/random-seed?  That's kernel bound. :P
<      h01ger> | it just feels so wrong to (let piuparts) ignore stuff in $HOME. it would be the first+only file of that type


cheers,
	Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/piuparts-devel/attachments/20140601/71430e3c/attachment.sig>


More information about the Piuparts-devel mailing list