You are not logged in.
An app, pwsafe complains that i don't have an environment variable RANDFILE, or a file ~/.rnd set. They are indeed not set. What can I do to fix that? I read https://wiki.archlinux.org/index.php/Ra … generation and digged trough the forum but found no answer. I get the impression that these are normally set by default and I don't need to manually create this entropy file with /dev/random as the source or randomness.
Last edited by rwd (2020-09-05 17:04:49)
Offline
The relevant function the program uses should generate the ~/.rnd file. https://github.com/nsd20463/pwsafe/blob … e.cpp#L738 looking for docs on that function leads to: https://www.openssl.org/docs/man1.0.2/m … _name.html
FWIW I get the same issue, and we did recently switch a lot of crypto stuff around, maybe a buggy fallout from that, off of a random guess, try rebuilding the openssl package.
Offline
try rebuilding the openssl package.
I have rebuilt openssl from abs, rebooted, Environment variable RANDFILE is still missing. I see a ~/.rnd, but I now doubt if it was there all along. It seems old:
[user1@arch-macbookpro ~]$ stat .rnd
File: .rnd
Size: 1024 Blocks: 8 IO Block: 4096 regular file
Device: fe00h/65024d Inode: 6299770 Links: 1
Access: (0600/-rw-------) Uid: ( 1000/ user1) Gid: ( 1000/ user1)
Access: 2013-10-16 22:49:06.593660190 +0200
Modify: 2018-09-21 09:24:03.493982436 +0200
Change: 2018-09-21 09:24:03.493982436 +0200
Birth: 2011-04-21 23:12:47.994216493 +0200
I put RANDFILE=~/.rnd in /etc/environment, typed ' source /etc/environment' and then ran pwsafe again, but still it complans 'WARNING: pwsafe unable to seed rng. Check $RANDFILE.' . How do I know if rng is configured right?
Last edited by rwd (2020-09-05 11:10:13)
Offline
test.c
#include <stdio.h>
#include <openssl/rand.h>
int main ()
{
char rng_filename[PATH_MAX+1];
if (RAND_file_name(rng_filename,sizeof(rng_filename)))
{
fprintf(stdout, "RAND_file_name returned %s\n",rng_filename);
}
else
{
fprintf(stderr, "Unable to seed rng. Check $RANDFILE.\n");
}
}
Build with
gcc test.c -lssl -lcrypto
Then check `./a.out`
Edit:
Also `printenv HOME`
Last edited by loqs (2020-09-05 11:59:47)
Offline
I get "RAND_file_name returned /home/user1/.rnd" .
printenv HOME returns '/home/user1', my home folder . Permissions are 600 for the ~/.rnd so should be writable for pwsafe.
Last edited by rwd (2020-09-05 12:41:13)
Offline
The permissions or even the existence of the file are not relevant because the error message is from the call to generate the filename to open failing.
Yet the same call in the test program can not reproduce the issue.
How do you start pwsafe?
Offline
I get the error message when i run pwsafe in xfce4-terminal . And get the same result if I start it from the login terminal, so before starting x.
By the way pwsafe not being able to create the .rnd file also causes another bug which I reported here yesterday and was fixed. There you can see the strace output. That doesn't fix the .rnd problem though.
Offline
https://github.com/nsd20463/pwsafe/comm … a143f76b61 fixed the error handling when RAND_file_name fails but no insight into why it fails.
https://github.com/openssl/openssl/blob … ile.c#L251
Is the environment variable RANDFILE still set?
Offline
I thought your test.c already showed that the RANDFILE environment variable exists. But even if i run it like this I get the same error:
$ RANDFILE=$HOME/.rnd pwsafe
Offline
$ printenv HOME
$ printenv RANDFILE
/home/testuser
$ /a.out
RAND_file_name returned /home/testuser/.rnd
# chown root:root a.out
# chmod 4755 a.out
$ ./a.out
Unable to seed rng. Check $RANDFILE.
secure_getenv will return NULL when executed through setuid so $HOME and $RANDFILE are null so RAND_file_name is guaranteed to fail when used in an setuid binary.
Last edited by loqs (2020-09-05 16:25:55)
Offline
secure_getenv will return NULL when executed through setuid so $HOME and $RANDFILE are null so RAND_file_name is guaranteed to fail when used in an setuid binary.
Bingo:
#ls -al /bin/ | grep pwsafe
-rwsr-sr-x 1 root root 112584 Oct 30 2019 pwsafe
So pwsafe indeed has setuid permissions. I will check with the package maintainer.
Offline
You might also raise the issue with the developer there is code for managing setuid but it does not handle this case.
Although it appears it only needs privileges for mlock, you can increase the memlock limit in limits.conf if needed.
Edit:
graysky could use the approach same approach as shadow [1] to use capabilities in preference to suid.
[1] https://github.com/archlinux/svntogit-p … ow.install
setcaps() {
_setcap() {
if filecap "$1" "$2"; then
chmod -s "$1"
fi
}
# pwsafe ships pwsafe as setuid, but if we can apply file caps, use those instead.
# 'filecap' insists on absolute paths
_setcap /usr/bin/pwsafe ipc_lock
}
post_install() {
setcaps
}
post_upgrade() {
setcaps
}
Or drop suid and do not use capabilities and document users may need to increase the memlock limit.
Last edited by loqs (2020-09-06 13:02:09)
Offline