dokuwiki - /dev/urandom issue

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

dokuwiki - /dev/urandom issue

Isimsiz
Hello
After todays update my Dokuwiki just throw 500 error "There is no suitable
CSPRNG installed on your system". Googled a bit and found out it because i
have no /dev/urandom in my basedir,
And this kinda obvious cuz i have httpd chrooted by default

Doku version dokuwiki-2017.02.19b installed from the OpenBSD pacjages, So
only way is to disable chroot?
Reply | Threaded
Open this post in threaded view
|

Re: dokuwiki - /dev/urandom issue

Isimsiz
Oh, forgot, OpenBSD -current, php56 + php56-fpm.

2017-06-11 20:43 GMT+03:00 Asbel Kiprop <[hidden email]>:

> Hello
> After todays update my Dokuwiki just throw 500 error "There is no suitable
> CSPRNG installed on your system". Googled a bit and found out it because i
> have no /dev/urandom in my basedir,
> And this kinda obvious cuz i have httpd chrooted by default
>
> Doku version dokuwiki-2017.02.19b installed from the OpenBSD pacjages, So
> only way is to disable chroot?
>
Reply | Threaded
Open this post in threaded view
|

Re: dokuwiki - /dev/urandom issue

Daniel Gillen
In reply to this post by Isimsiz
On 11.06.2017 19:43, Asbel Kiprop wrote:
> Hello
> After todays update my Dokuwiki just throw 500 error "There is no suitable
> CSPRNG installed on your system". Googled a bit and found out it because i
> have no /dev/urandom in my basedir,
> And this kinda obvious cuz i have httpd chrooted by default
>
> Doku version dokuwiki-2017.02.19b installed from the OpenBSD pacjages, So
> only way is to disable chroot?
>

Have u tried creating urandom in the httpd chroot?

In case your chroot is /var/www: mkdir /var/www/dev && cd /var/www/dev
&& /dev/MAKEDEV random

I just have no idea whether this might have any security implications.
Probably not, but maybe someone else can enlighten us on this.

--
Unix _IS_ user friendly - it's just
selective about who its friends are!

Reply | Threaded
Open this post in threaded view
|

Re: dokuwiki - /dev/urandom issue

Isimsiz
I'll try it, but as far as i remember years ago in misc was the discussion
about urandom use in OpenBSD applications and advice was to correct the
applications so it wasnt depended on urandom.
And as i use Doku package from openbsd it looks kinda contradictory -
chroot by default and urandom dependency in package...

2017-06-11 20:54 GMT+03:00 Daniel Gillen <[hidden email]>:

> On 11.06.2017 19:43, Asbel Kiprop wrote:
> > Hello
> > After todays update my Dokuwiki just throw 500 error "There is no
> suitable
> > CSPRNG installed on your system". Googled a bit and found out it because
> i
> > have no /dev/urandom in my basedir,
> > And this kinda obvious cuz i have httpd chrooted by default
> >
> > Doku version dokuwiki-2017.02.19b installed from the OpenBSD pacjages, So
> > only way is to disable chroot?
> >
>
> Have u tried creating urandom in the httpd chroot?
>
> In case your chroot is /var/www: mkdir /var/www/dev && cd /var/www/dev
> && /dev/MAKEDEV random
>
> I just have no idea whether this might have any security implications.
> Probably not, but maybe someone else can enlighten us on this.
>
> --
> Unix _IS_ user friendly - it's just
> selective about who its friends are!
>
Reply | Threaded
Open this post in threaded view
|

Re: dokuwiki - /dev/urandom issue

Isimsiz
Created /dev/urandom in chroot. btw
root :: /var/www : ls -la /var/www/dev/



total 16
drwxr-xr-x   2 root  wheel        512 Jun 11 21:01 ./
drwxr-xr-x  16 root  daemon       512 Jun 11 21:01 ../
crw-r--r--   1 root  wheel    45,   3 Jun 11 21:01 arandom
crw-r--r--   1 root  wheel    45,   0 Jun 11 21:01 random
crw-r--r--   1 root  wheel    45,   1 Jun 11 21:01 srandom
crw-r--r--   1 root  wheel    45,   2 Jun 11 21:01 urandom

but
root :: /var/www : cat /var/www/dev/urandom



cat: /var/www/dev/urandom: Device not configured
Reply | Threaded
Open this post in threaded view
|

Re: dokuwiki - /dev/urandom issue

Daniel Jakots-3
On Sun, 11 Jun 2017 21:24:23 +0300, Asbel Kiprop <[hidden email]>
wrote:

> Created /dev/urandom in chroot. btw
> root :: /var/www : ls -la /var/www/dev/
>
>
>
> total 16
> drwxr-xr-x   2 root  wheel        512 Jun 11 21:01 ./
> drwxr-xr-x  16 root  daemon       512 Jun 11 21:01 ../
> crw-r--r--   1 root  wheel    45,   3 Jun 11 21:01 arandom
> crw-r--r--   1 root  wheel    45,   0 Jun 11 21:01 random
> crw-r--r--   1 root  wheel    45,   1 Jun 11 21:01 srandom
> crw-r--r--   1 root  wheel    45,   2 Jun 11 21:01 urandom
>
> but
> root :: /var/www : cat /var/www/dev/urandom
>
>
>
> cat: /var/www/dev/urandom: Device not configured

Your partition is probably mounted with the nodev flag.

Reply | Threaded
Open this post in threaded view
|

Re: dokuwiki - /dev/urandom issue

Ingo Schwarze
In reply to this post by Isimsiz
Hi Asbel,

Asbel Kiprop wrote on Sun, Jun 11, 2017 at 09:24:23PM +0300:

> cat: /var/www/dev/urandom: Device not configured

By default, /var is mounted nodev.  See mount(8), fstab(5).

Yours,
  Ingo

Reply | Threaded
Open this post in threaded view
|

Re: dokuwiki - /dev/urandom issue

Isimsiz
Ooops, really, thanks

So for now it really the only solution, create dev in chroot and remove
nodev flag from mounting options of /var/ directory? Hmmm

2017-06-11 21:33 GMT+03:00 Ingo Schwarze <[hidden email]>:

> Hi Asbel,
>
> Asbel Kiprop wrote on Sun, Jun 11, 2017 at 09:24:23PM +0300:
>
> > cat: /var/www/dev/urandom: Device not configured
>
> By default, /var is mounted nodev.  See mount(8), fstab(5).
>
> Yours,
>   Ingo
>
Reply | Threaded
Open this post in threaded view
|

Re: dokuwiki - /dev/urandom issue

Theo de Raadt-2
In reply to this post by Ingo Schwarze
> Asbel Kiprop wrote on Sun, Jun 11, 2017 at 09:24:23PM +0300:
>
> > cat: /var/www/dev/urandom: Device not configured
>
> By default, /var is mounted nodev.  See mount(8), fstab(5).

Providing a workaround that reduces security is a poor answer.
Perhaps the drive to make-it-work inevitably overrides the
desire to do right.

Also, you could "cp /etc/passwd urandom" and it will work fine
also!  Safety, good lord who cares.

The port should be fixed, so that it internally use arc4random.

The "nodev" option is used for some good reasons.

Reply | Threaded
Open this post in threaded view
|

Re: dokuwiki - /dev/urandom issue

Isimsiz
> The port should be fixed, so that it internally use arc4random.
That is what for i came here.
think i need to write some mail to package developer...

2017-06-11 21:37 GMT+03:00 Theo de Raadt <[hidden email]>:

> > Asbel Kiprop wrote on Sun, Jun 11, 2017 at 09:24:23PM +0300:
> >
> > > cat: /var/www/dev/urandom: Device not configured
> >
> > By default, /var is mounted nodev.  See mount(8), fstab(5).
>
> Providing a workaround that reduces security is a poor answer.
> Perhaps the drive to make-it-work inevitably overrides the
> desire to do right.
>
> Also, you could "cp /etc/passwd urandom" and it will work fine
> also!  Safety, good lord who cares.
>
> The port should be fixed, so that it internally use arc4random.
>
> The "nodev" option is used for some good reasons.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: dokuwiki - /dev/urandom issue

Stuart Henderson
In reply to this post by Isimsiz
On 2017-06-11, Asbel Kiprop <[hidden email]> wrote:
> Hello
> After todays update my Dokuwiki just throw 500 error "There is no suitable
> CSPRNG installed on your system". Googled a bit and found out it because i
> have no /dev/urandom in my basedir,
> And this kinda obvious cuz i have httpd chrooted by default
>
> Doku version dokuwiki-2017.02.19b installed from the OpenBSD pacjages, So
> only way is to disable chroot?
>

I think any of these options should work, listed in order of preference.

1. use php 7
2. install and enable pecl-sodium
3. install and enable php-mcrypt


Reply | Threaded
Open this post in threaded view
|

Re: dokuwiki - /dev/urandom issue

Stuart Henderson
In reply to this post by Theo de Raadt-2
On 2017-06-11, Theo de Raadt <[hidden email]> wrote:
> Also, you could "cp /etc/passwd urandom" and it will work fine
> also!

It won't in this case. They're using ParagonIE's random_* compat
library which was written by someone with a functioning brain.


Reply | Threaded
Open this post in threaded view
|

Re: dokuwiki - /dev/urandom issue

Stuart Henderson
In reply to this post by Stuart Henderson
On 2017-06-12, Stuart Henderson <[hidden email]> wrote:

> On 2017-06-11, Asbel Kiprop <[hidden email]> wrote:
>> Hello
>> After todays update my Dokuwiki just throw 500 error "There is no suitable
>> CSPRNG installed on your system". Googled a bit and found out it because i
>> have no /dev/urandom in my basedir,
>> And this kinda obvious cuz i have httpd chrooted by default
>>
>> Doku version dokuwiki-2017.02.19b installed from the OpenBSD pacjages, So
>> only way is to disable chroot?
>>
>
> I think any of these options should work, listed in order of preference.
>
> 1. use php 7
> 2. install and enable pecl-sodium
> 3. install and enable php-mcrypt
>
>

(In case that's not clear, *decreasing* order of preference..)