random-seed - security issue?

[adrelanos]

random-seeds have probably not been though through yet?

Files such as...

• /var/lib/random-seed
• /var/lib/urandom/random-seed
• /var/lib/systemd/random-seed
• others?

Those should not be included in images for security reasons. Especially not if images are going to be redistributed.

Quote @intrigeri:

The urandom initscript makes it clear that the assumption for this file is that its content is "unique to this machine and not known to attackers"... which is not the case when we ship that file in our ISO images.

Questions:

1. Are any of such random seeds in images [or iso's] generated by grml-debootstrap?
2. What to do about those?

Resources:

• https://labs.riseup.net/code/issues/7642
• https://labs.riseup.net/code/issues/7675

[hartwork]

Googling a bit, for candidates I also find:

• /etc/ssh2/random_seed (legacy?)
• $HOME/.rnd (OpenSSL)

For non-seed uniqueness these also come to my mind:

• /etc/machine-id and /var/lib/dbus/machine-id (affects openstack-debian-images and official Debian OpenStack images, unfixed, see Debian bug #789960)

Running the same grml-debootstrap command twice and recursively comparing the resulting file system - I recommend Meld for that - should produce a list of actual troublemakers, if any.

[adrelanos]

https://systemd.io/RANDOM_SEEDS/