Bug 1692435 - Run rngd as unprivileged user
Summary: Run rngd as unprivileged user
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: rng-tools
Version: 8.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: beta
: 8.1
Assignee: Neil Horman
QA Contact: Vilém Maršík
Tomas Capek
URL:
Whiteboard:
Depends On:
Blocks: 1510124 1671421 1722609
TreeView+ depends on / blocked
 
Reported: 2019-03-25 15:32 UTC by Steve Grubb
Modified: 2020-04-28 16:08 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
.`rngd` is now able to run with non-root privileges The random number generator daemon (`rngd`) checks whether data supplied by the source of randomness is sufficiently random and then stores the data in the kernel's random-number entropy pool. With this update, `rngd` is able to run with non-root user privileges to enhance system security.
Clone Of:
Environment:
Last Closed: 2020-04-28 16:06:42 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1762 None None None 2020-04-28 16:08:14 UTC

Description Steve Grubb 2019-03-25 15:32:49 UTC
Description of problem:
The rngd service is currently running as root with full capabilities. If this daemon can be run in a less privileged way, this would help the security posture of the OS.

Steps to Reproduce:
1. pscap | grep rngd
2. observer "full" is given for capabilities.

Additional info:
Initial review suggests that CAP_SYS_ADMIN is all that is needed.

Comment 1 Neil Horman 2019-03-26 15:42:49 UTC
currently this effort is blocked because rngd needs access to the random_wakeup_threshold sysctl value which is owned by root and is only writeable by the root user.

Comment 2 Neil Horman 2019-03-26 17:25:29 UTC
changes ready to be merged here:
https://src.osci.redhat.com/rpms/rng-tools/pull-request/2

Comment 4 Vilém Maršík 2019-04-25 15:54:26 UTC
ack.

Comment 7 Vilém Maršík 2019-07-19 20:51:49 UTC
Hi Neil,
where should this be fixed? I cannot see it working in latest 8.1:
# pscap | grep rngd
1     1767  root        rngd              full

rng-tools-6.6-2.el8.x86_64
RHEL-8.1.0-20190718.n.2 BaseOS x86_64

Was the patch merged at all?
# grep CAP_SYS_ADMIN /usr/lib/systemd/system/rngd.service | wc -l
0

Comment 8 Neil Horman 2019-07-30 12:26:00 UTC
yes, it was fixed in rng-tools-6.6-3.  why is rng-tools-6.6-2 still in the compose?

Comment 9 Vilém Maršík 2019-08-15 15:45:30 UTC
Neil, latest 8.1.0 (RHEL-8.1.0-20190815.n.0 BaseOS x86_64) still only has rng-tools-6.6-2.el8.x86_64 . No newer version exists even in brewroot - see http://download.eng.brq.redhat.com/brewroot/packages/rng-tools/6.6/ . Are you sure you have built the patched version?

Comment 13 Vilém Maršík 2020-02-06 18:51:30 UTC
Looks fixed:
[root@lenovo-sr650-01 ~]# pscap | grep rngd
1     1920  root        rngd              full
[root@lenovo-sr650-01 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.1 (Ootpa)

[root@intel-canoepass-03 ~]# pscap | grep rngd
1     1293  rngd        rngd              sys_admin
[root@intel-canoepass-03 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.2 Beta (Ootpa)

Comment 15 errata-xmlrpc 2020-04-28 16:06:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1762


Note You need to log in before you can comment on or make changes to this bug.