Re: /dev/urandom in chroot
On Tue, Oct 29, 2013 at 02:06:48PM -0400, Gabriel Guzman wrote:
> On 10/29, Theo de Raadt wrote:
> > The /dev/*random nodes are not specified in any standard, furthermore
> > once you get into chroot all bets are off (like you discovered).
> >
> > >This allows the program to work, but I'm wondering if there is a better
> > >way to do this that doesn't involve removing the nodev setting from
> > >/var.
> >
> > Rewrite it so that it uses other ways to get randomness. The arc4random
> > API is exposed in various programming layers.
> >
> > >Would it be preferable to use a language function for getting pseudo
> > >random bytes instead of relying on the device?
> >
> > Yes. Definately.
>
> Great, thanks for confirmation on that, I'll fix the program so I don't
> need to make devices inside my cozy chroot and push the changes upstream.
>
FWIW, on Linux there is also a way to access kernel randomness without using
a device file:
int mib[3] = { CTL_KERN, KERN_RANDOM, RANDOM_UUID };
uint32_t uuid[4];
sysctl(mib, 3, uuid, &(size_t){ sizeof uuid }, (void *)0, 0);
You can just feed this into a simple KDF construction using a
cryptographically strong hash function, or feed it into OpenSSL's PRNG.
Caveat emptor: add appropriate error checking so you know if and when this
fails. I've never seen it fail, but the API is undocumented because Linux
eschews sysctl in favor of /proc and /dev, and theoretically it could
disappear.
Unfortunately, on OS X and FreeBSD arc4random(3) reads from /dev/random.
What a shame. Somebody was asleep at the wheel.
The safest behavior is to arrange to acquire randomness resources at startup
before chroot'ing, but obviously this is difficult to do in a self-contained
library.
Re: /dev/urandom in chroot
On 10/29, Theo de Raadt wrote: > >I have a web program that attempts to access /dev/urandom from within the > >/var/www chroot. Based on archive searches and googling, I've removed > >the nodev flag from that mount and have created the random devices in > >/var/www/dev/* > > So basically remove a layer of security. Awesome. See what they made > you do? Yeah, I didn't feel like that was a great idea. I was fairly sure the nodev flag was put there on purpose. > > The /dev/*random nodes are not specified in any standard, furthermore > once you get into chroot all bets are off (like you discovered). > > >This allows the program to work, but I'm wondering if there is a better > >way to do this that doesn't involve removing the nodev setting from > >/var. > > Rewrite it so that it uses other ways to get randomness. The arc4random > API is exposed in various programming layers. > > >Would it be preferable to use a language function for getting pseudo > >random bytes instead of relying on the device? > > Yes. Definately. Great, thanks for confirmation on that, I'll fix the program so I don't need to make devices inside my cozy chroot and push the changes upstream. gabe.
Re: /dev/urandom in chroot
>I have a web program that attempts to access /dev/urandom from within the >/var/www chroot. Based on archive searches and googling, I've removed >the nodev flag from that mount and have created the random devices in >/var/www/dev/* So basically remove a layer of security. Awesome. See what they made you do? The /dev/*random nodes are not specified in any standard, furthermore once you get into chroot all bets are off (like you discovered). >This allows the program to work, but I'm wondering if there is a better >way to do this that doesn't involve removing the nodev setting from >/var. Rewrite it so that it uses other ways to get randomness. The arc4random API is exposed in various programming layers. >Would it be preferable to use a language function for getting pseudo >random bytes instead of relying on the device? Yes. Definately.
/dev/urandom in chroot
Hello Misc, I have a web program that attempts to access /dev/urandom from within the /var/www chroot. Based on archive searches and googling, I've removed the nodev flag from that mount and have created the random devices in /var/www/dev/* This allows the program to work, but I'm wondering if there is a better way to do this that doesn't involve removing the nodev setting from /var. Would it be preferable to use a language function for getting pseudo random bytes instead of relying on the device? Thanks for your time, gabe.
