[1517] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-alert] /dev/random and MAKEDEV-C-1.6

daemon@ATHENA.MIT.EDU (David Holland)
Fri Apr 25 07:13:10 1997

From: David Holland <dholland@hcs.harvard.edu>
To: linux-security@redhat.com
Date: Thu, 24 Apr 1997 11:36:30 -0400 (EDT)
Resent-From: linux-alert@redhat.com
Reply-To: linux-alert@redhat.com

[Note: this has already been sent to comp.os.linux.announce.]

-----BEGIN PGP SIGNED MESSAGE-----


It has come to my attention that the recent 1.6 release of MAKEDEV-C
inadvertently created /dev/random and /dev/urandom with the wrong
permissions.

/dev/random and /dev/urandom should look like this:

crw-r--r--   1 root     system     1,   8 Feb 21 14:42 /dev/random
crw-r--r--   1 root     system     1,   9 Feb 21 14:42 /dev/urandom

If they do not, please do "chmod 644 /dev/random /dev/urandom". 

 **** This has potentially serious security implications. 
 **** Unrestricted write access to /dev/random and /dev/urandom 
 **** makes them cryptographically worse than useless.


If you have MAKEDEV-C-1.6 installed please get MAKEDEV-C-1.6.1, which
has just been uploaded to Sunsite and should appear in
/pub/Linux/system/admin. It can also be gotten from
ftp://ftp.hcs.harvard.edu/pub/linux/makedev.

Alternatively apply the following patch. You do not need to recompile
the makedev binary itself, but you do need to update the installed
devinfo and makedev.cfg files.

If you don't have pgp and don't know how to fix a patch that pgp has
signed, you can get the patch from the hcs ftp site, although I did
not upload it to sunsite.

If you have questions or concerns, feel free to mail me.

   David A. Holland
   dholland@hcs.harvard.edu


diff -r -u -N makedev-1.6/README makedev-1.6.1/README
- --- makedev-1.6/README	Sat Feb  1 02:32:23 1997
+++ makedev-1.6.1/README	Thu Apr 24 10:04:19 1997
@@ -6,6 +6,11 @@
 /etc/devinfo. The config file is intended to be fairly human-readable,
 as well as machine-readable.
 
+New in release 1.6.1:
+
+Correct permissions on /dev/random and /dev/urandom. This has security
+implications.
+
 New in release 1.6:
 
 The configuration files have been updated to reflect kernel 2.x, and
diff -r -u -N makedev-1.6/devinfo makedev-1.6.1/devinfo
- --- makedev-1.6/devinfo	Sat Feb  1 02:22:15 1997
+++ makedev-1.6.1/devinfo	Thu Apr 24 09:59:11 1997
@@ -104,8 +104,8 @@
        	zero (public) : 5
 	core -> "/proc/kcore"
 	full (public) : 7
- -	random (public) : 8
- -	urandom (public) : 9
+	random (publicro) : 8
+	urandom (publicro) : 9
 }
 block (std, 1) {
 	initrd (disk) : 250
diff -r -u -N makedev-1.6/makedev.cfg makedev-1.6.1/makedev.cfg
- --- makedev-1.6/makedev.cfg	Sat Feb  1 02:23:58 1997
+++ makedev-1.6.1/makedev.cfg	Thu Apr 24 09:58:53 1997
@@ -4,6 +4,7 @@
 
 class default:	root	system	0640
 class public:	root	system	0666
+class publicro:	root	system	0644
 class system:   root	system	0660
 class kmem:	root	kmem	0640
 class tty:	root	tty	0620

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM198qTx1dyEHyT51AQHh3QP/ezmJbmkPI7FkhPY85hFWGkJwV9L9cb+9
ajoH+uxN21rlvkD509T4Rk+bS0QesUNjyUdIB6qtj2LQCsvQF1ZxlCu7uU3iFNHN
d1CAU4zb4jLEsJSD54yDNS3bcPPEt9xU4t/GWgNdk4WbbhokZBm6kllfpzRWENPK
yavCvcwXeJI=
=Qen2
-----END PGP SIGNATURE-----


home help back first fref pref prev next nref lref last post