Package: apache2-utils
Version: 2.2.9-7
Severity: minor
Greetings,
Having recently upgraded from a relatively old apache 1.3-era package I have
found
a quick script I wrote to periodically syncronise passwords had become
unreliable.
Further investigation reveals that htpasswd invoked from this script around 50
times
blocks for long periods. It previously took trivial time (very much less than
one
second). Running strace, I see:
$ strace htpasswd -c -b testfile testuser testpass
[much output]
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
uname({sys=Linux, node=gamma, ...}) = 0
brk(0) = 0x804c000
brk(0x806d000) = 0x806d000
stat64(testfile, 0xbfb4f970) = -1 ENOENT (No such file or
directory)
open(testfile, O_WRONLY|O_CREAT|O_LARGEFILE, 0666) = 3
close(3)= 0
open(/dev/random, O_RDONLY) = 3
read(3,
Clearly I'm entropy-starved. However, I'd question whether a tool such as
htpasswd
cannot do with /dev/urandom. Delving into the code, it uses it to seed rand(3)
so
it clearly does not use /dev/random for any purpose where pure entropy is
required.
Previously it had used time(2) -- this change to use a blocking function in the
APR
is the source of the regression.
Cheers,
Joseph
-- System Information:
Debian Release: lenny/sid
Architecture: i386 (i686)
Kernel: Linux 2.6.18-6-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages apache2-utils depends on:
ii libapr11.2.12-4 The Apache Portable Runtime Librar
ii libaprutil11.2.12+dfsg-8 The Apache Portable Runtime Utilit
ii libc6 2.7-13GNU C Library: Shared libraries
ii libssl0.9.80.9.8g-13 SSL shared libraries
apache2-utils recommends no packages.
apache2-utils suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]