Re: misc/59709: inconsistent entropy $random_file locations settings

To: misc-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,sr%genyosha.net@localhost
Subject: Re: misc/59709: inconsistent entropy $random_file locations settings
From: "Steve Rikli via gnats" <gnats-admin%NetBSD.org@localhost>
Date: Fri, 24 Oct 2025 16:35:01 +0000 (UTC)

The following reply was made to PR misc/59709; it has been noted by GNATS.

From: Steve Rikli <sr%genyosha.net@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: misc-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
Subject: Re: misc/59709: inconsistent entropy $random_file locations settings
Date: Fri, 24 Oct 2025 08:57:28 -0700

 PR misc/59709:
   location of the entropy random_file should be defined in one place, rc.conf
 
 changes:
 1. add missing random_file variable to /etc/defaults/rc.conf; sysinst already
    creates this setting in /etc/rc.conf but it is not documented
 
 2. add 'checkpoint' verb to /etc/rc.d/random_seed to distinguish from stop_cmd
 
 3. modify /etc/security to call /etc/rc.d/random_seed directly instead of
    running duplicate 'rndctl' code
 
 4. add new random_seed boolean to /etc/defaults/security.conf, remove
    now-unused random_file variable
 
 5. add random_file description to rc.conf(5)
 
 6. add random_seed description to security.conf(5), remove description for
    now-unused random_file
 
 Note that status quo behavior is unchanged:  /etc/security still saves
 system entropy periodically by default when run by daily cron. This fix
 unifies the command and file location for those system entropy updates.
 
 ----
 Index: etc/security
 ===================================================================
 RCS file: /cvsroot/src/etc/security,v
 retrieving revision 1.132
 diff -u -r1.132 security
 --- etc/security	21 Jul 2024 14:56:16 -0000	1.132
 +++ etc/security	24 Oct 2025 15:42:39 -0000
 @@ -1062,11 +1062,10 @@
  	CHANGELIST="$CHANGEFILES $CHANGELIST"
  fi
  
 -# Save entropy to ${random_file} if defined, like
 -# /etc/rc.d/random_seed.
 +# Save entropy if enabled, using /etc/rc.d/random_seed.
  #
 -if [ -n "${random_file:-}" ]; then
 -	rndctl -S "$random_file"
 +if checkyesno random_seed; then
 +	/etc/rc.d/random_seed checkpoint
  fi
  
  # Special case backups, including the master password file and
 Index: etc/defaults/rc.conf
 ===================================================================
 RCS file: /cvsroot/src/etc/defaults/rc.conf,v
 retrieving revision 1.167
 diff -u -r1.167 rc.conf
 --- etc/defaults/rc.conf	5 Oct 2023 08:19:27 -0000	1.167
 +++ etc/defaults/rc.conf	24 Oct 2025 15:42:39 -0000
 @@ -387,6 +387,7 @@
  # Entropy load/save to/from /dev/random at startup/shutdown
  #
  random_seed=YES
 +random_file=/var/db/entropy-file
  
  # Set to `check' to abort multi-user boot if not enough entropy, or
  # `wait' to wait until enough entropy, or `' (empty) to boot without
 Index: etc/defaults/security.conf
 ===================================================================
 RCS file: /cvsroot/src/etc/defaults/security.conf,v
 retrieving revision 1.28
 diff -u -r1.28 security.conf
 --- etc/defaults/security.conf	10 Jan 2021 23:24:25 -0000	1.28
 +++ etc/defaults/security.conf	24 Oct 2025 15:42:39 -0000
 @@ -48,4 +48,4 @@
  max_loginlen=16
  max_grouplen=16
  
 -random_file=/var/db/entropy-file
 +random_seed=YES
 Index: etc/rc.d/random_seed
 ===================================================================
 RCS file: /cvsroot/src/etc/rc.d/random_seed,v
 retrieving revision 1.15
 diff -u -r1.15 random_seed
 --- etc/rc.d/random_seed	8 Sep 2020 12:52:18 -0000	1.15
 +++ etc/rc.d/random_seed	24 Oct 2025 15:42:39 -0000
 @@ -21,6 +21,8 @@
  rcvar=$name
  start_cmd="random_load"
  stop_cmd="random_save"
 +checkpoint_cmd="random_save"
 +extra_commands="checkpoint"
  
  random_file="${random_file:-/var/db/entropy-file}"
  
 Index: share/man/man5/rc.conf.5
 ===================================================================
 RCS file: /cvsroot/src/share/man/man5/rc.conf.5,v
 retrieving revision 1.194
 diff -u -r1.194 rc.conf.5
 --- share/man/man5/rc.conf.5	2 Oct 2024 15:56:37 -0000	1.194
 +++ share/man/man5/rc.conf.5	24 Oct 2025 15:42:51 -0000
 @@ -547,6 +547,12 @@
  .Xr quotacheck 8
  and
  .Xr quotaon 8 .
 +.It Sy random_file
 +Name of the entropy seed file used at boot.
 +Default is
 +.Pa /var/db/entropy-file
 +as used by
 +.Pa /etc/rc.d/random_seed .
  .It Sy random_seed
  Boolean value.
  During boot-up, runs the
 Index: share/man/man5/security.conf.5
 ===================================================================
 RCS file: /cvsroot/src/share/man/man5/security.conf.5,v
 retrieving revision 1.44
 diff -u -r1.44 security.conf.5
 --- share/man/man5/security.conf.5	14 Nov 2024 19:57:41 -0000	1.44
 +++ share/man/man5/security.conf.5	24 Oct 2025 15:42:51 -0000
 @@ -165,6 +165,11 @@
  .It Sy check_pkg_signatures
  Checks the digital signature of all files installed by packages against
  the expected values stored in the packages database.
 +.It Sy random_seed
 +Save
 +.Xr entropy 7
 +seed file used at boot, by running 
 +.Pa /etc/rc.d/random_seed.
  .El
  .Pp
  The variables described below can be set to modify the tests:
 @@ -285,17 +290,6 @@
  and
  .Sy check_changelist
  instead of just keeping a current copy and a backup copy.
 -.It Sy random_file
 -Name of the entropy seed file used at boot.
 -Default is
 -.Pa /var/db/entropy-file
 -as used by
 -.Pa /etc/rc.d/random_seed .
 -Set
 -.Sy random_file
 -to empty to disable saving a seed every time
 -.Pa /etc/security
 -runs.
  .El
  .Sh FILES
  .Bl -tag -width /etc/defaults/security.conf -compact

Prev by Date: Re: misc/59709: inconsistent entropy $random_file locations settings
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: Re: misc/59709: inconsistent entropy $random_file locations settings
Next by Thread: toolchain/59710: gcc14 update broke several tests
Indexes:

Home | Main Index | Thread Index | Old Index