CVS commit: src

To: source-changes%NetBSD.org@localhost
Subject: CVS commit: src
From: "Taylor R Campbell" <riastradh%netbsd.org@localhost>
Date: Sun, 10 Jan 2021 23:24:26 +0000

Module Name:    src
Committed By:   riastradh
Date:           Sun Jan 10 23:24:26 UTC 2021

Modified Files:
        src/distrib/sets/lists/etc: mi
        src/distrib/sets/lists/man: mi
        src/etc: security
        src/etc/defaults: rc.conf security.conf
        src/etc/rc.d: Makefile
        src/share/man/man4: rnd.4
        src/share/man/man5: rc.conf.5 security.conf.5
        src/share/man/man7: Makefile security.7
        src/share/man/man8: afterboot.8
Added Files:
        src/etc/rc.d: entropy
        src/share/man/man7: entropy.7

Log Message:
Various entropy integration improvements.

- New /etc/security check for entropy in daily security report.

- New /etc/rc.d/entropy script runs (after random_seed and rndctl) to
  check for entropy at boot -- in rc.conf, you can:

  . set `entropy=check' to halt multiuser boot and enter single-user
    mode if not enough entropy

  . set `entropy=wait' to make multiuser boot wait until enough entropy

  Default is to always boot without waiting -- and rely on other
  channels like security report to alert the operator if there's a
  problem.

- New man page entropy(7) discussing the higher-level concepts and
  system integration with cross-references.

- New paragraph in afterboot(8) about entropy citing entropy(7) for
  more details.

This change addresses many of the issues discussed in security/55659.
This is a first draft; happy to take improvements to the man pages and
scripted messages to improve clarity.

I considered changing motd to include an entropy warning with a
reference to the entropy(7) man page, but it's a little trickier:
- Not sure it's appropriate for all users to see at login rather than
  users who have power to affect the entropy estimate (maybe it is,
  just haven't decided).
- We only have a mechanism for changing once at boot; the message would
  remain until next boot even if an operator adds enough entropy.
- The mechanism isn't really conducive to making a message appear
  conditionally from boot to boot.


To generate a diff of this commit:
cvs rdiff -u -r1.263 -r1.264 src/distrib/sets/lists/etc/mi
cvs rdiff -u -r1.1712 -r1.1713 src/distrib/sets/lists/man/mi
cvs rdiff -u -r1.127 -r1.128 src/etc/security
cvs rdiff -u -r1.160 -r1.161 src/etc/defaults/rc.conf
cvs rdiff -u -r1.27 -r1.28 src/etc/defaults/security.conf
cvs rdiff -u -r1.109 -r1.110 src/etc/rc.d/Makefile
cvs rdiff -u -r0 -r1.1 src/etc/rc.d/entropy
cvs rdiff -u -r1.35 -r1.36 src/share/man/man4/rnd.4
cvs rdiff -u -r1.187 -r1.188 src/share/man/man5/rc.conf.5
cvs rdiff -u -r1.42 -r1.43 src/share/man/man5/security.conf.5
cvs rdiff -u -r1.35 -r1.36 src/share/man/man7/Makefile
cvs rdiff -u -r0 -r1.1 src/share/man/man7/entropy.7
cvs rdiff -u -r1.15 -r1.16 src/share/man/man7/security.7
cvs rdiff -u -r1.75 -r1.76 src/share/man/man8/afterboot.8

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: src/tests/usr.bin/xlint/lint1
Next by Date: CVS commit: src/usr.bin/make
Previous by Thread: CVS commit: src/tests/usr.bin/xlint/lint1
Next by Thread: CVS commit: src/usr.bin/make
Indexes:

Home | Main Index | Thread Index | Old Index