Bug 1692435

Summary: Run rngd as unprivileged user
Product: Red Hat Enterprise Linux 8 Reporter: Steve Grubb <sgrubb>
Component: rng-toolsAssignee: Neil Horman <nhorman>
Status: CLOSED ERRATA QA Contact: Vilém Maršík <vmarsik>
Severity: medium Docs Contact: Tomas Capek <tcapek>
Priority: medium    
Version: 8.0CC: bhu, core-kernel-mgr, jreznik, lmanasko, mjahoda, nhorman, rvr, vmarsik
Target Milestone: betaKeywords: RFE
Target Release: 8.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
.`rngd` is now able to run with non-root privileges The random number generator daemon (`rngd`) checks whether data supplied by the source of randomness is sufficiently random and then stores the data in the kernel's random-number entropy pool. With this update, `rngd` is able to run with non-root user privileges to enhance system security.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:06:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1510124, 1671421, 1722609    

Description Steve Grubb 2019-03-25 15:32:49 UTC 
Description of problem:
The rngd service is currently running as root with full capabilities. If this daemon can be run in a less privileged way, this would help the security posture of the OS.

Steps to Reproduce:
1. pscap | grep rngd
2. observer "full" is given for capabilities.

Additional info:
Initial review suggests that CAP_SYS_ADMIN is all that is needed.
Comment 1 Neil Horman 2019-03-26 15:42:49 UTC 
currently this effort is blocked because rngd needs access to the random_wakeup_threshold sysctl value which is owned by root and is only writeable by the root user.
Comment 2 Neil Horman 2019-03-26 17:25:29 UTC 
changes ready to be merged here:
https://src.osci.redhat.com/rpms/rng-tools/pull-request/2
Comment 4 Vilém Maršík 2019-04-25 15:54:26 UTC 
ack.
Comment 7 Vilém Maršík 2019-07-19 20:51:49 UTC 
Hi Neil,
where should this be fixed? I cannot see it working in latest 8.1:
# pscap | grep rngd
1     1767  root        rngd              full

rng-tools-6.6-2.el8.x86_64
RHEL-8.1.0-20190718.n.2 BaseOS x86_64

Was the patch merged at all?
# grep CAP_SYS_ADMIN /usr/lib/systemd/system/rngd.service | wc -l
0
Comment 8 Neil Horman 2019-07-30 12:26:00 UTC 
yes, it was fixed in rng-tools-6.6-3.  why is rng-tools-6.6-2 still in the compose?
Comment 9 Vilém Maršík 2019-08-15 15:45:30 UTC 
Neil, latest 8.1.0 (RHEL-8.1.0-20190815.n.0 BaseOS x86_64) still only has rng-tools-6.6-2.el8.x86_64 . No newer version exists even in brewroot - see http://download.eng.brq.redhat.com/brewroot/packages/rng-tools/6.6/ . Are you sure you have built the patched version?
Comment 13 Vilém Maršík 2020-02-06 18:51:30 UTC 
Looks fixed:
[root@lenovo-sr650-01 ~]# pscap | grep rngd
1     1920  root        rngd              full
[root@lenovo-sr650-01 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.1 (Ootpa)

[root@intel-canoepass-03 ~]# pscap | grep rngd
1     1293  rngd        rngd              sys_admin
[root@intel-canoepass-03 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.2 Beta (Ootpa)
Comment 15 errata-xmlrpc 2020-04-28 16:06:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1762