Welcome to mod_entropy¶
This is mod_entropy. It is an apache module the creates random values from incoming requests.
Actually there is no release for this so you have to checkout it via git.
git clone git://redminie.weird-web-workers.org/var/lib/git/mod_entropy.git
ATTENTION: This module adds data to the kernel random number pool.
To do this the apache process needs CAP_SYS_ADMIN. Without any role based access control
this is true only for the root user.
An alternative is to assign CAP_SYS_ADMIN to the apache process.
This still seems not to be the ideal solution as this would give the apache process access
to several system internals like de-/activation of swap devices mount/unmount, etc.
Anyway, this is the best i could figure out.
It would be a good to have a special capabilty just for random pool administration but
actually i have no clue if and how this might be possible.
Anyway this still might lead to problems with the security of your encryption as an attacker
might be able to add own random values to the random pool which in turn might compromize your
Actually i have no good solution for this...maybe it is not a good idea at all to generate
random numbers this way, i would be lucky to get feedback on this issue.
Add cap_sys_admin to apache¶
You need libcap being installed on your system to do this.
Assuming your apache binary is /usr/sbin/apache2 do the following as root:
~> setcap cap_net_bind_service,cap_sys_admin=ep /usr/sbin/apache2
And then make sure apache is started by the user configured in http.conf.
This should prevent right drop while changing the effective user id.
If apache2 does not start it most likely is related to some access rights.
Just have a look in the error log as mentioned in this
wiki page .
Build and install¶
Then build and install the module
~> cd mod_entropy ~> ./bootstrap ~> ./configure ~> make ~> make install
Activate in apache config¶
Add the following lines to your apache config file.
LoadModule entropy_module modules/mod_entropy.so SetInputFilter ENTROPY