Commit 94b84a20b3bbd84d8ddc97833bfa4dc425a80ceb

Authored by Georg Hopp
1 parent b0c73a71

update README.md

Showing 2 changed files with 87 additions and 6 deletions
1 # mod-entropy 1 # mod-entropy
2 2
3 -## abstract  
4 -  
5 Apache module to generate entropy. 3 Apache module to generate entropy.
6 4
7 -## requires 5 +## Synopsis
  6 +
  7 +Add the following lines to your apache config file.
  8 +
  9 + LoadModule entropy_module modules/mod_entropy.so
  10 + SetInputFilter ENTROPY
  11 +
  12 +## Description
  13 +
  14 +This is an apache module the creates random values from incoming requests. It
  15 +will only work on systems that have the RNDADDENTROPY ioctl, i only know of
  16 +linux.
  17 +
  18 +If you use encryption on your pages either for ssl, by using mcrypt for stuff
  19 +or ssh, gpg, etc. you will use the systems random source. This is filled up by
  20 +the kernel via some irq and user interaction. So it fills quite slowly and it
  21 +is limited. And it fills even slower on a server where no Keyboard Interrupts
  22 +or such will happen most of the time.
  23 +
  24 +This problem is addressed by the existence of /dev/urandom which does some
  25 +magic, so that the request for random numbers will never block. But the
  26 +quality of these random numbers is a matter of discussion right now.
  27 +
  28 +So i came up with the idea that user interachtion on a webserver (request)
  29 +related to time are also entropic in nature and decided to build an apache
  30 +module to fill the kernel random pool by that way. This should increase the
  31 +quality as well as the responsiveness of encryption.
  32 +
  33 +Actually i must confess that i have no really clue what a random number makes
  34 +it cryptographically "good" and i would be happy to get some feedback on this.
  35 +
  36 +## Requirements
  37 +
  38 +### Add **cap_sys_admin** to apache.
  39 +
  40 +You need libcap being installed on your system to do this.
  41 +Assuming your apache binary is /usr/sbin/apache2 do the following as root:
  42 +
  43 + setcap cap_net_bind_service,cap_sys_admin=ep /usr/sbin/apache2
  44 +
  45 +And then make sure apache is started by the user configured in http.conf.
  46 +This should prevent right drop while changing the effective user id.
  47 +If apache2 does not start it most likely is related to some access rights.
  48 +Just have a look in the error log as mentioned in this.
  49 +
  50 +**ATTENTION: This module adds data to the kernel random number pool. To do
  51 +this the apache process needs CAP_SYS_ADMIN. Without any role based access
  52 +control this is true only for the root user.
  53 +
  54 +An alternative is to assign CAP_SYS_ADMIN to the apache process. This still
  55 +seems not to be the ideal solution as this would give the apache process
  56 +access to several system internals like de-/activation of swap devices
  57 +mount/unmount, etc. Anyway, this is the best i could figure out.
  58 +
  59 +It would be a good to have a special capabilty just for random pool
  60 +administration but actually i have no clue if and how this might be possible.
  61 +Anyway this still might lead to problems with the security of your encryption
  62 +as an attacker might be able to add own random values to the random pool which
  63 +in turn might compromize your encryption.
  64 +
  65 +Actually i have no good solution for this...maybe it is not a good idea at all
  66 +to generate random numbers this way, i would be lucky to get feedback on this
  67 +issue.**
  68 +
  69 +## Dependencies
  70 +
  71 + * Apache 2
  72 +
  73 +## Contributing
  74 +
  75 +Just write me an email.
  76 +
  77 +## License
8 78
9 -Apache 79 + This program is free software: you can redistribute it and/or modify
  80 + it under the terms of the GNU General Public License as published by
  81 + the Free Software Foundation, either version 3 of the License, or
  82 + (at your option) any later version.
  83 +
  84 + This program is distributed in the hope that it will be useful,
  85 + but WITHOUT ANY WARRANTY; without even the implied warranty of
  86 + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  87 + GNU General Public License for more details.
  88 +
  89 + You should have received a copy of the GNU General Public License
  90 + along with this program. If not, see <http://www.gnu.org/licenses/>.
10 91
11 -## status 92 +## Author
12 93
13 -unknown  
  94 +Georg Hopp <georg@steffers.org>
Please register or login to post a comment