The warnings are printed because dcc-common.postinst uses /bin/sh as
shell, which is dash in Feisty and not bash.

Bash understands option "-n" for the read command, while dash doesn't.

Because of the failing read, /dev/urandom is not used as random source,
but instead the 'ps ax' output is used; therefore the warning about the
potentially insecure password.

Suggestion to fix this:
Instead of testing the readability of /dev/urandom in line 6 of 
dcc-common.postinst with
  if ! read -n 0 < $RANDOMDEVICE ; then
which tries to read zero characters, one could use the readability test
  if [ ! -r "$RANDOMDEVICE" ]; then

Maybe the security of the generated passwords can be discussed anyway, because 
the output of /dev/urandom or "ps ax" is piped through 'cksum' later on which 
will produce predictable output (the last 4 characters will be 'x120' usually 
for /dev/urandom input). This is not a great issue because the leading checksum 
is about 9 or 10 characters and probably as unpredictable as the used random 
source.
An alternative to generate the passwords by some script mimic would be to 
depend on the package pwgen and use e.g. "`pwgen -cns 10`" in lines 34/35 of 
dcc-common.postinst.

-- 
Warnings (read/password) during installation of dcc-common
https://bugs.launchpad.net/bugs/119808
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to