Bugtraq mailing list archives
Re: Tempfile vulnerabilities
From: vonbrand () SLEIPNIR VALPARAISO CL (Horst von Brand)
Date: Wed, 9 Feb 2000 11:03:11 -0300
Seth David Schoen <schoen () LOYALTY ORG> said: [...]
An intermediate possibility is to have multiple RNGs with multiple sources of entropy, or multiple RNGs with entropy divided among them somehow, or a single RNG which enforces a reasonable policy of some sort when multiple processes want to access it at once.
Linux has /dev/random (real random) and /dev/urandom (generated with help of a RNG if not enough entropy in /dev/random). Just shut off people from using /dev/random.
Modern multiuser operating systems have solved all _kinds_ of problems around concurrency and dealing with contention over a shared resource. There is no reason that they should not be able to do exactly the same thing for an entropy pool, if it becomes an issue.
The problem here is not a shared resource, it is a finite resource. And solutions there (f.ex. disk space) are quotas or manual intervention. Sou you'd have a /etc/random.quotas file saying which UID is allowed to use how much entropy, and the kernel keeps track from there after being primed on boot. Yuck. -- Horst von Brand vonbrand () sleipnir valparaiso cl Casilla 9G, ViƱa del Mar, Chile +56 32 672616
Current thread:
- Re: Tempfile vulnerabilities, (continued)
- Re: Tempfile vulnerabilities Ian Turner (Feb 07)
- Re: Tempfile vulnerabilities Seth David Schoen (Feb 07)
- Remote access vulnerability in all MySQL server versions Robert van der Meulen (Feb 08)
- don't run random "exploit" code Marc Slemko (Feb 08)
- cookies - nothing new Steven Champeon (Feb 07)
- Re: cookies - nothing new MJE (Feb 08)
- Re: Tempfile vulnerabilities Peter Berendi (Feb 08)
- Re: Tempfile vulnerabilities Marc Lehmann (Feb 08)
- Re: Tempfile vulnerabilities Neil Blakey-Milner (Feb 02)