Re: where to set/override entropy $random_file location?

To: Steve Rikli <sr%genyosha.net@localhost>
Subject: Re: where to set/override entropy $random_file location?
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Sun, 12 Oct 2025 19:40:48 -0400

Steve Rikli <sr%genyosha.net@localhost> writes:

> Followup question: is there any impact if /etc/security (cron daily),
> and /etc/rc.d/random_seed (during boot), and /boot.cfg (also during
> boot) use different $random_file location and contents?

Sure.  If there is more than one file specified in those three places,
then you don't get what you think you are getting

  boot.cfg: A
  rc.d: B
  security: C

  At shutdown, B is written.

  At next boot, A is attempted to be loaded, but it's missing or the same
  as last time.

  Daily, C is saved, but nothing reads it.

So it's a mess, to use the technical term :-)

> That seems... untidy :-) to me, but aside from my personal opinion, I
> think at least the documented behavior and config file comments should
> be sorted out to reflect reality.

sure.

> It's worth noting that sysinst creates a working entropy config during
> initial install, as you'd hope.  E.g. if / and /var/ are separate
> filesystems, sysinst creates /boot.cfg with these rndseeds:
>
>   menu=Boot normally:rndseed /etc/entropy-file;boot
>   menu=Boot single user:rndseed /etc/entropy-file;boot -s
>
> and /etc/rc.conf gets this setting:
>
>   random_file=/etc/entropy-file
>
> this is functional and requires no manual changes, so that's good. But
> again it doesn't match security.conf(5) documentation or the
> /etc/defaults/{security,rc}.conf contents, and will result in a separate
> /var/db/entropy-file being created by /etc/security.

Which is harmless to create, but pointless as it is not read ob boot.

>> I'd say:
>> 
>>   The location of the file should be defined in one place, and rc.conf
>>   is the right place.
>
> I tend to agree. Given sysinst behavior, I'm inclined to suggest moving
> this line:
>
>   random_file=/var/db/entropy-file
>
> from /etc/defaults/security.conf into /etc/defaults/rc.conf , and
> similarly moving the security.conf(5) entry for "random_file" into the
> rc.conf(5) man page. /etc/security would need updating in that case,
> to define the new method for determining $random_file location.

Agreed, except I think it should just call /etc/rc.d/random_seed.



I suspect given the lack of other cranky comments, we're in a "patches
welcome" state.

Follow-Ups:
- Re: where to set/override entropy $random_file location?
  - From: Steve Rikli

References:
- where to set/override entropy $random_file location?
  - From: Steve Rikli
- Re: where to set/override entropy $random_file location?
  - From: Greg Troxel
- Re: where to set/override entropy $random_file location?
  - From: Steve Rikli

Prev by Date: Re: where to set/override entropy $random_file location?
Next by Date: Re: Upgrading from 10.0 to 10.1
Previous by Thread: Re: where to set/override entropy $random_file location?
Next by Thread: Re: where to set/override entropy $random_file location?
Indexes:

Home | Main Index | Thread Index | Old Index