On 10/29, Theo de Raadt wrote: > >I have a web program that attempts to access /dev/urandom from within the > >/var/www chroot. Based on archive searches and googling, I've removed > >the nodev flag from that mount and have created the random devices in > >/var/www/dev/* > > So basically remove a layer of security. Awesome. See what they made > you do?
Yeah, I didn't feel like that was a great idea. I was fairly sure the nodev flag was put there on purpose. > > The /dev/*random nodes are not specified in any standard, furthermore > once you get into chroot all bets are off (like you discovered). > > >This allows the program to work, but I'm wondering if there is a better > >way to do this that doesn't involve removing the nodev setting from > >/var. > > Rewrite it so that it uses other ways to get randomness. The arc4random > API is exposed in various programming layers. > > >Would it be preferable to use a language function for getting pseudo > >random bytes instead of relying on the device? > > Yes. Definately. Great, thanks for confirmation on that, I'll fix the program so I don't need to make devices inside my cozy chroot and push the changes upstream. gabe.
