You are not logged in.

#1 2020-09-04 17:08:43

rwd
Member
Registered: 2009-02-08
Posts: 664

[SOLVED] RANDFILE environment variable and ~/.rnd are not set.

An app, pwsafe complains that i don't have an environment variable RANDFILE, or a file ~/.rnd set.  They are indeed not set. What can I do to fix that?  I read https://wiki.archlinux.org/index.php/Ra … generation and digged trough the forum but found no answer. I get the impression  that these are normally set by default and I don't need to manually create this entropy file with  /dev/random as the source or randomness.

Last edited by rwd (2020-09-05 17:04:49)

Offline

#2 2020-09-04 18:31:56

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 21,431

Re: [SOLVED] RANDFILE environment variable and ~/.rnd are not set.

The relevant function the program uses should generate the ~/.rnd file. https://github.com/nsd20463/pwsafe/blob … e.cpp#L738 looking for docs on that function leads to: https://www.openssl.org/docs/man1.0.2/m … _name.html

FWIW I get the same issue, and we did recently switch a lot of crypto stuff around, maybe a buggy fallout from that, off of a random guess, try rebuilding the openssl package.

Offline

#3 2020-09-05 10:03:14

rwd
Member
Registered: 2009-02-08
Posts: 664

Re: [SOLVED] RANDFILE environment variable and ~/.rnd are not set.

V1del wrote:

try rebuilding the openssl package.

I have rebuilt openssl from abs, rebooted, Environment variable RANDFILE is still missing. I  see a ~/.rnd, but I now doubt if it was there all along. It seems old:

[user1@arch-macbookpro ~]$ stat .rnd
  File: .rnd
  Size: 1024      	Blocks: 8          IO Block: 4096   regular file
Device: fe00h/65024d	Inode: 6299770     Links: 1
Access: (0600/-rw-------)  Uid: ( 1000/   user1)   Gid: ( 1000/   user1)
Access: 2013-10-16 22:49:06.593660190 +0200
Modify: 2018-09-21 09:24:03.493982436 +0200
Change: 2018-09-21 09:24:03.493982436 +0200
 Birth: 2011-04-21 23:12:47.994216493 +0200

I put RANDFILE=~/.rnd in /etc/environment, typed ' source /etc/environment' and then ran pwsafe again, but still it complans 'WARNING: pwsafe unable to seed rng. Check $RANDFILE.' . How do I know if rng is configured right?

Last edited by rwd (2020-09-05 11:10:13)

Offline

#4 2020-09-05 11:58:36

loqs
Member
Registered: 2014-03-06
Posts: 17,199

Re: [SOLVED] RANDFILE environment variable and ~/.rnd are not set.

test.c

#include <stdio.h>
#include <openssl/rand.h>

int main ()
{
    char rng_filename[PATH_MAX+1];
    if (RAND_file_name(rng_filename,sizeof(rng_filename)))
    {
      fprintf(stdout, "RAND_file_name returned %s\n",rng_filename);
    }
    else
    {
      fprintf(stderr, "Unable to seed rng. Check $RANDFILE.\n");
    }
}

Build with

gcc test.c -lssl -lcrypto

Then check `./a.out`
Edit:
Also `printenv HOME`

Last edited by loqs (2020-09-05 11:59:47)

Offline

#5 2020-09-05 12:29:36

rwd
Member
Registered: 2009-02-08
Posts: 664

Re: [SOLVED] RANDFILE environment variable and ~/.rnd are not set.

I get "RAND_file_name returned /home/user1/.rnd" .

printenv HOME returns '/home/user1',  my home folder . Permissions are 600 for the ~/.rnd so should be writable for pwsafe.

Last edited by rwd (2020-09-05 12:41:13)

Offline

#6 2020-09-05 13:19:14

loqs
Member
Registered: 2014-03-06
Posts: 17,199

Re: [SOLVED] RANDFILE environment variable and ~/.rnd are not set.

The permissions or even the existence of the file are not relevant because the error message is from the call to generate the filename to open failing.
Yet the same call in the test program can not reproduce the issue.

How do you start pwsafe?

Offline

#7 2020-09-05 15:30:24

rwd
Member
Registered: 2009-02-08
Posts: 664

Re: [SOLVED] RANDFILE environment variable and ~/.rnd are not set.

I get the error message when i run pwsafe in xfce4-terminal . And get the same result if I start it from the login terminal, so  before starting x.

By the way pwsafe not being able to create the .rnd file also causes another bug which I reported here yesterday and was fixed. There you can see the strace output. That doesn't fix the .rnd problem though.

Offline

#8 2020-09-05 15:51:20

loqs
Member
Registered: 2014-03-06
Posts: 17,199

Re: [SOLVED] RANDFILE environment variable and ~/.rnd are not set.

https://github.com/nsd20463/pwsafe/comm … a143f76b61 fixed the error handling when RAND_file_name fails but no insight into why it fails.

https://github.com/openssl/openssl/blob … ile.c#L251

Is the environment variable RANDFILE still set?

Offline

#9 2020-09-05 16:07:10

rwd
Member
Registered: 2009-02-08
Posts: 664

Re: [SOLVED] RANDFILE environment variable and ~/.rnd are not set.

I thought your test.c already showed that the RANDFILE environment variable exists. But even if i run it like this I get the same error:

$ RANDFILE=$HOME/.rnd  pwsafe

Offline

#10 2020-09-05 16:25:18

loqs
Member
Registered: 2014-03-06
Posts: 17,199

Re: [SOLVED] RANDFILE environment variable and ~/.rnd are not set.

$ printenv HOME
$ printenv RANDFILE
/home/testuser
$ /a.out 
RAND_file_name returned /home/testuser/.rnd
# chown root:root a.out
# chmod 4755 a.out
$ ./a.out 
Unable to seed rng. Check $RANDFILE.

secure_getenv will return NULL when executed through setuid so $HOME and $RANDFILE are null so RAND_file_name is guaranteed to fail when used in an setuid binary.

Last edited by loqs (2020-09-05 16:25:55)

Offline

#11 2020-09-05 17:03:18

rwd
Member
Registered: 2009-02-08
Posts: 664

Re: [SOLVED] RANDFILE environment variable and ~/.rnd are not set.

loqs wrote:

secure_getenv will return NULL when executed through setuid so $HOME and $RANDFILE are null so RAND_file_name is guaranteed to fail when used in an setuid binary.

Bingo:

#ls -al /bin/ | grep pwsafe
-rwsr-sr-x 1 root  root     112584 Oct 30  2019 pwsafe

So pwsafe indeed has setuid permissions. I will check with the package maintainer.

Offline

#12 2020-09-05 17:32:52

loqs
Member
Registered: 2014-03-06
Posts: 17,199

Re: [SOLVED] RANDFILE environment variable and ~/.rnd are not set.

You might also raise the issue with the developer there is code for managing setuid but it does not handle this case.
Although it appears it only needs privileges for mlock,  you can increase the memlock limit in limits.conf if needed.
Edit:
graysky could use the approach same approach as shadow [1] to use capabilities in preference to suid.

[1] https://github.com/archlinux/svntogit-p … ow.install

setcaps() {
  _setcap() {
    if filecap "$1" "$2"; then
      chmod -s "$1"
    fi
  }

  # pwsafe ships pwsafe as setuid, but if we can apply file caps, use those instead.
  # 'filecap' insists on absolute paths
  _setcap /usr/bin/pwsafe ipc_lock
}

post_install() {
  setcaps
}

post_upgrade() {
  setcaps
}

Or drop suid and do not use capabilities and document users may need to increase the memlock limit.

Last edited by loqs (2020-09-06 13:02:09)

Offline

Board footer

Powered by FluxBB