Description of problem:
The bash $RANDOM pseudo RNG is very weak and seeded with just PID and time.
It should at least use glibc's random() implementation which has better
properties. Or some other pseudo RNG with better cryptographic properties. Also
the default seed should be from /dev/urandom or at least using gettimeofday if
/dev/urandom is not available.
If you agree with the above I'll provide a patch.
All other shells properly seed the random number generator. I tested ksh, tcsh,
and zsh. They all have better random number generators than bash. This patch
should get into RHEL5/4 at some point.
Created attachment 151746 [details]
The patch uses glibc random number generator instead of the builtin and adds
support for seeding the rng from /dev/urandom.
Reviewed patch. Looks OK to me. Assuming this patch looks good to others, we
should clone the bug for RHEL5.1 & RHEL4.6.
Patch looks good to me.
Will you push it upstream Tim?
Hi...what's the status on this? rawhide does not appear to have a good random
number generator nor does FC6 or 7. Thanks.
Haven't had time to look at this yet. I've marked it as an F8 target.
Patch appears to work, test packages are here:
Tomas, I was looking over the patch after seeing AVC's for all kinds of
programs. I think we can improve the patch by doing a lazy init of RANDOM. This
will improve performance since now every shell script has to open /dev/urandom
and read from it , reduce the number of AVC's to the programs that really need
access to /dev/uranmdom, and help preserve the entropy by not using it when not
Created attachment 161886 [details]
This improved patch initializes the bash random number generator only on demand
- that is when you'll ask for $RANDOM.
The patch also fixes another bug in the bash rng code - the rng was not
reinitialized in deeper subshells so this command:
(echo $RANDOM ; (echo $RANDOM ; echo $RANDOM) ; (echo $RANDOM ; echo $RANDOM) ;
(echo $RANDOM ; echo $RANDOM))
returned values like:
although they all should be random values instead.
This patch tests good. We should apply this patch to bash and respin.
I built this on 2007-08-20 12:21:11 but we have not had a rawhide push in a few
days :-( you can find the pkg here until then:
Putting in MODIFIED I'll move to CLOSED RAWHIDE once we actually have a new push.
Looks good. Closing.
bash-3.2-19.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update bash'
bash-3.2-19.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.