summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJoey Hess2016-07-29 10:52:40 -0400
committerJoey Hess2016-07-29 10:52:40 -0400
commit7a188d4dec345dcb45d9e5193eba6da098491fc2 (patch)
treeca569c206eb018a89a0c78cad68874c127de6ee9 /src
parent808f33fd2418ed9a64f20846cf7301c16ffe8b84 (diff)
parente6940f49e248ff57f4baf60ba72a03c09c82d5e0 (diff)
Merge remote-tracking branch 'spwhitton/robust-rngd' into joeyconfig
Diffstat (limited to 'src')
-rw-r--r--src/Propellor/Property/Sbuild.hs24
1 files changed, 23 insertions, 1 deletions
diff --git a/src/Propellor/Property/Sbuild.hs b/src/Propellor/Property/Sbuild.hs
index 5d58a84a..7a27473c 100644
--- a/src/Propellor/Property/Sbuild.hs
+++ b/src/Propellor/Property/Sbuild.hs
@@ -358,6 +358,12 @@ secKeyFile = "/var/lib/sbuild/apt-keys/sbuild-key.sec"
-- | Generate the apt keys needed by sbuild using a low-quality source of
-- randomness
--
+-- Note that any running rngd will be killed; if you are using rngd, you should
+-- arrange for it to be restarted after this property has been ensured. E.g.
+--
+-- > & Sbuild.keypairInsecurelyGenerated
+-- > `onChange` Systemd.started "my-rngd-service"
+--
-- Useful on throwaway build VMs.
keypairInsecurelyGenerated :: Property DebianLike
keypairInsecurelyGenerated = check (not <$> doesFileExist secKeyFile) go
@@ -365,8 +371,24 @@ keypairInsecurelyGenerated = check (not <$> doesFileExist secKeyFile) go
go :: Property DebianLike
go = combineProperties "sbuild keyring insecurely generated" $ props
& Apt.installed ["rng-tools"]
- & cmdProperty "rngd" ["-r", "/dev/urandom"] `assume` MadeChange
+ -- If this dir does not exist the sbuild key generation command
+ -- will fail; the user might have deleted it to work around
+ -- #831462
+ & File.dirExists "/var/lib/sbuild/apt-keys"
+ -- If there is already an rngd process running we have to kill
+ -- it, as it might not be feeding to /dev/urandom. We can't
+ -- kill by pid file because that is not guaranteed to be the
+ -- default (/var/run/rngd.pid), so we killall
+ & userScriptProperty (User "root")
+ [ "start-stop-daemon -q -K -R 10 -o -n rngd"
+ , "rngd -r /dev/urandom"
+ ]
+ `assume` MadeChange
& keypairGenerated
+ -- Kill off the rngd process we spawned
+ & userScriptProperty (User "root")
+ ["kill $(cat /var/run/rngd.pid)"]
+ `assume` MadeChange
-- another script from wiki.d.o/sbuild
ccachePrepared :: Property DebianLike