Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I access /dev/urandom with open_basedir in effect?

I want to use phpass-0.3 in Codeigniter, but I get the following error due to open_basedir:

A PHP Error was encountered
Severity: Warning
Message: is_readable() [function.is-readable]: open_basedir restriction in effect. File(/dev/urandom) is not within the allowed path(s): (/home/phginep:/usr/lib/php:/usr/local/lib/php:/tmp)
Filename: phpass-0.3/PasswordHash.php
Line Number: 51

Following code:

function get_random_bytes($count)
{
    $output = '';
    if (is_readable('/dev/urandom') &&    //Line Number: 51
        ($fh = @fopen('/dev/urandom', 'rb'))) {
        $output = fread($fh, $count);
        fclose($fh);
    }

    if (strlen($output) < $count) {
        $output = '';
        for ($i = 0; $i < $count; $i += 16) {
            $this->random_state =
                md5(microtime() . $this->random_state);
            $output .=
                pack('H*', md5($this->random_state));
        }
        $output = substr($output, 0, $count);
    }

    return $output;
}

Is there anything I can do to get around this?

like image 816
jennifer Jolie Avatar asked Apr 28 '12 12:04

jennifer Jolie


People also ask

Is urandom blocking?

The /dev/urandom device typically was never a blocking device, even if the pseudorandom number generator seed was not fully initialized with entropy since boot. /dev/arandom blocks after boot until the seed has been securely initialized with enough entropy, and then never blocks again.

What is the difference between Dev random and Dev urandom?

'Urandom' is used where there is constant need of random numbers and its randomness is not much important while 'random' is used where there is a security concern and its randomness should be reliable as it blocks outputting random numbers if entropy is not up to the mark.

Is Dev urandom random?

/dev/urandom and /dev/random use the same random number generator. They both are seeded by the same entropy pool. They both will give an equally random number of an arbitrary size. They both can give an infinite amount of random numbers with only a 256 bit seed.

What is cat Dev urandom?

/dev/urandom is a continuous stream of random data. It will never produce an end of file. Buffered reads will fill the read buffer, so even if you are piping the output of cat into some other program, the read won't be terminated until the pipe is closed.


2 Answers

You have some options here:

1 - Download a dump from a true RNG (this one offers dumps from one based on radioactive decay) and use that, just be sure that you don't keep reading the same nn bytes. Kind of clunky, but an option.

2 - Have PHP execute something that reads from /dev/urandom on its behalf (UGLY)

3 - Fall back on mt_rand() (Also ugly, but I've seen this done):

 for ($i = 0; $i < $count / 8; $i++) {
   $output .= dechex(mt_rand(0, 0x7fffffff));
 }

All options are clunky and ugly, unfortunately. The best thing to do would be sure that you don't have to deal with open_basedir. Still, this particular annoyance could be worked around.

Finally - not likely to fly with your host, but perhaps worth a try:

You can ask your host to provide urandom in your home directory so you can read it. Tell them you need to access urandom to generate random numbers so you can provide better security for your users, then ask them to run:

mknod urandom c 1 9

In your home directory. I just tried it on my own server, it works (but root needs to do it for you). There is no practical reason to keep you from using the system's pseudo random number generator, which you could do otherwise with anything other than PHP. This is actually the easiest way for them to let you have access to urandom because it requires no exceptions in the PHP or vhost configuration for you.

Disallowing access to /dev/random is a reasonable thing to do, since /dev/random must be replenished by available (new) system entropy and might cause important things to block on read if exhausted which could happen often on low traffic servers. However, /dev/urandom is guaranteed to never block since it just reuses the internal entropy pool once exhausted, which is why it's a lesser quality source.

Note

I'm not saying the idea of open_basedir is a bad one, but it breaks good code too. A classic chroot is much better, but harder, which is why you run into open_basedir much more than you do a real chroot. At the minimum, any program should be able to access the null, zero and urandom devices on a server.

like image 163
Tim Post Avatar answered Oct 28 '22 04:10

Tim Post


phpass is trying to access /dev/urandom, which is not allowed in your php.ini To resolve this issue, you must suppress the warning. To do so, just add @ before is_readable, like this :

...
@is_readable('/dev/urandom')
...
like image 24
SuN Avatar answered Oct 28 '22 02:10

SuN