[Piuparts-devel] Bug#750099: should piuparts ignore /root/.rnd ?
Holger Levsen
holger at layer-acht.org
Sun Jun 1 15:25:07 UTC 2014
package: piuparts
Hi,
technically it's very easy to add /root/.rnd to self.ignored_files in
piuparts.py but it would be the first file in $HOME to ignore, so I'm a bit
reluctant. Further feedback appreciated.
piupartsm at pejacevic:/srv/piuparts.debian.org/master$ rgrep /root/.rnd */fail|grep "not owned"
sid/fail/stone_2.3.e-2+b1.log: /root/.rnd not owned
sid/fail/telnetd-ssl_0.17.24+0.1-24.log: /root/.rnd not owned
sid/fail/ejabberd_2.1.11-1.log: /root/.rnd not owned
sid/fail/unbound_1.4.22-1.log: /root/.rnd not owned
sid/fail/courier-ssl_0.73.1-1.1.log: /root/.rnd not owned
sid/fail/dovecot-core_1:2.2.13-1.log: /root/.rnd not owned
sid/fail/quassel-core_0.10.0-1.log: /root/.rnd not owned
sid/fail/freeradius_2.1.12+dfsg-1.3.log: /root/.rnd not owned
sid/fail/nuauth_2.4.3-3.log: /root/.rnd not owned
sid/fail/epoptes_0.5.7-1.log: /root/.rnd not owned
sid/fail/dkimproxy_1.4.1-3.log: /root/.rnd not owned
sid/fail/openvswitch-pki_2.1.0+git20140411-2.log: /root/.rnd not owned
sid/fail/xmail_1.27-1.2.log: /root/.rnd not owned
< h01ger> | leaving files in /root/.rnd is clearly wrong, isnt it?
< h01ger> | after purge i mean
< h01ger> | piupartsm at pejacevic:/srv/piuparts.debian.org/master$ rgrep /root/.rnd */fail|grep "not owned" |wc -l
< h01ger> | 13
< h01ger> | i could also make piuparts ignore /root/.rnd but that feels more wrong
* | h01ger is happy piuparts is starting to find nit-picking issues as this means the really bad stuff is gone
< Myon> what's .rnd anyway?
< Myon> which packages are that?
< olasd> /root/.rnd looks like the PRNG thing openssl leaves around
< Myon> google says that too
< h01ger> | these packages: http://paste.debian.net/102680/
< Myon> I'd say it's ok to leave that behind, but the real bug is that packages shouldn't write to $HOME at install time
< olasd> looks like things that generate a snakeoil certificate
< Myon> my thought was there should be code like "if (root) {write to /var/cache/rnd}" in openssl
< olasd> I'm not sure what the point of that file is on a modern linux system anyway
< olasd> but that's another issue
< h01ger> | Q_: ^
< Q_> olasd: That is an important file, even on whatever you think a modern linux system is.
< Q_> And I really see no good other place other than $HOME to write that.
< h01ger> | then i think piuparts should ignore it
< h01ger> | Q_: whats wrong with /var/cache/rnd? (or any path in var?) and why keep it and not delete+recreate it?
< Q_> | h01ger: In which case should it use that dir? When uid=0? euid=0?
< h01ger> | Q_: then /var/cache/rnd/root maybe? though i have to admit i dont get why its useful to keep this file around.
< Q_> | h01ger: For the same reason you have a /var/lib/urandom/random-seed file.
< Q_> But you really don't want other people to have access to it. If you suggest /var/cache/rnd/$user, that sounds like an attack
waiting to happen.
< h01ger> | but that random-seed seems to be application bound, not user bound, or?
< Q_> No, it's user bound.
< Q_> Or you mean /var/lib/urandom/random-seed? That's kernel bound. :P
< h01ger> | it just feels so wrong to (let piuparts) ignore stuff in $HOME. it would be the first+only file of that type
cheers,
Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/piuparts-devel/attachments/20140601/71430e3c/attachment.sig>
More information about the Piuparts-devel
mailing list