diff options
author | Lukas Reschke <lukas@owncloud.com> | 2015-05-26 14:11:38 +0200 |
---|---|---|
committer | Lukas Reschke <lukas@owncloud.com> | 2015-05-26 14:16:07 +0200 |
commit | bc6d17ed74a20c35ddb21f5f6b7b644664e5275c (patch) | |
tree | 80991e705aa9132d3c802b8383284c110f97dccc /settings | |
parent | b82d902e184960877110bc45124ed2399f779cac (diff) | |
download | nextcloud-server-bc6d17ed74a20c35ddb21f5f6b7b644664e5275c.tar.gz nextcloud-server-bc6d17ed74a20c35ddb21f5f6b7b644664e5275c.zip |
Add check for availability of /dev/urandom
Without /dev/urandom being available to read the medium RNG will rely only on the following components on a Linux system:
1. MicroTime: microtime() . memory_get_usage() as seed and then a garbage collected microtime for loop
2. MTRand: chr((mt_rand() ^ mt_rand()) % 256)
3. Rand: chr((rand() ^ rand()) % 256)
4. UniqId: Plain uniqid()
An adversary with the possibility to predict the seed used by the PHP process may thus be able to predict future tokens which is an unwanted behaviour.
One should note that this behaviour is documented in our documentation to ensure that users get aware of this even without reading our documentation this will add a post setup check to the administrative interface.
Thanks to David Black from d1b.org for bringing this again to our attention.
Diffstat (limited to 'settings')
-rw-r--r-- | settings/controller/checksetupcontroller.php | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/settings/controller/checksetupcontroller.php b/settings/controller/checksetupcontroller.php index 15719ce215f..3ced5af5a5f 100644 --- a/settings/controller/checksetupcontroller.php +++ b/settings/controller/checksetupcontroller.php @@ -91,6 +91,23 @@ class CheckSetupController extends Controller { } /** + * Whether /dev/urandom is available to the PHP controller + * + * @return bool + */ + private function isUrandomAvailable() { + if(@file_exists('/dev/urandom')) { + $file = fopen('/dev/urandom', 'rb'); + if($file) { + fclose($file); + return true; + } + } + + return false; + } + + /** * @return DataResponse */ public function check() { @@ -100,6 +117,8 @@ class CheckSetupController extends Controller { 'dataDirectoryProtected' => $this->util->isHtaccessWorking($this->config), 'isMemcacheConfigured' => $this->isMemcacheConfigured(), 'memcacheDocs' => $this->urlGenerator->linkToDocs('admin-performance'), + 'isUrandomAvailable' => $this->isUrandomAvailable(), + 'securityDocs' => $this->urlGenerator->linkToDocs('admin-security'), ] ); } |