haveged creates a file /dev/shm/sem.haveged_sem on startup. /dev/shm/ is (like /tmp) writeable for everybody, which means a malicious person could create a file or symlink named /dev/shm/sem.haveged_sem before haveged starts:

    cd /dev/shm && ln -s hacked sem.haveged_sem

On the positive side, haveged seems to check if the file is a symlink before blindly opening it (timestamps removed too make the log readable):

systemd[1]: Started Entropy Daemon based on the HAVEGE algorithm.
haveged[12775]: haveged: command socket is listening at fd 3
haveged[12775]: haveged: Couldn't create nammed semaphore haveged_sem error:
                         Too many levels of symbolic links
systemd[1]: haveged.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: haveged.service: Failed with result 'exit-code'.

So if haveged_sem exists as a symlink, this blocks haveged from starting (denial of service).

In theory there could also be a race condition between the check for a symlink and (if it doesn't exist [yet]) opening the file for writing, that might allow an attacker to create a symlink at the right moment and writing to a attacker-chosen file.

If the file exists as a normal file, haveged starts nevertheless, and it doesn't change the file content. (No idea if it reads the file, and if yes, if "funny things" might happen depending on the file content.)


I'd recommend to use a randomly chosen filename (mktemp), or alternatively use a directory that is not world-writeable.