From bc6d17ed74a20c35ddb21f5f6b7b644664e5275c Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Tue, 26 May 2015 14:11:38 +0200 Subject: Add check for availability of /dev/urandom Without /dev/urandom being available to read the medium RNG will rely only on the following components on a Linux system: 1. MicroTime: microtime() . memory_get_usage() as seed and then a garbage collected microtime for loop 2. MTRand: chr((mt_rand() ^ mt_rand()) % 256) 3. Rand: chr((rand() ^ rand()) % 256) 4. UniqId: Plain uniqid() An adversary with the possibility to predict the seed used by the PHP process may thus be able to predict future tokens which is an unwanted behaviour. One should note that this behaviour is documented in our documentation to ensure that users get aware of this even without reading our documentation this will add a post setup check to the administrative interface. Thanks to David Black from d1b.org for bringing this again to our attention. --- settings/controller/checksetupcontroller.php | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'settings') diff --git a/settings/controller/checksetupcontroller.php b/settings/controller/checksetupcontroller.php index 15719ce215f..3ced5af5a5f 100644 --- a/settings/controller/checksetupcontroller.php +++ b/settings/controller/checksetupcontroller.php @@ -90,6 +90,23 @@ class CheckSetupController extends Controller { return $this->config->getSystemValue('memcache.local', null) !== null; } + /** + * Whether /dev/urandom is available to the PHP controller + * + * @return bool + */ + private function isUrandomAvailable() { + if(@file_exists('/dev/urandom')) { + $file = fopen('/dev/urandom', 'rb'); + if($file) { + fclose($file); + return true; + } + } + + return false; + } + /** * @return DataResponse */ @@ -100,6 +117,8 @@ class CheckSetupController extends Controller { 'dataDirectoryProtected' => $this->util->isHtaccessWorking($this->config), 'isMemcacheConfigured' => $this->isMemcacheConfigured(), 'memcacheDocs' => $this->urlGenerator->linkToDocs('admin-performance'), + 'isUrandomAvailable' => $this->isUrandomAvailable(), + 'securityDocs' => $this->urlGenerator->linkToDocs('admin-security'), ] ); } -- cgit v1.2.3