urandom not available ?

Roy Keene Mon, 15 May 2017 07:16:00 -0700

Maybe it should open /dev/null and /dev/urandom before chroot()'ing ?


On Sat, 13 May 2017, Richard Hipp wrote:

On 5/13/17, Olivier R. <m...@grammalecte.net> wrote:

Hello,

I?m running Fossil on Debian Jessie 8.2
(x86_64-debian-jessie-2016-04-06_15:26) at Scaleway.com (VC1S).

In the admin panel, Fossil says:

   WARNING: Device "/dev/null" is not available for reading and writing.
   WARNING: Device "/dev/urandom" is not available for reading. This
means that the pseudo-random number generator used by SQLite will be
poorly seeded.

fossil is in usr/bin.
repo.fossil is in /root/repo.

To launch the server, I simply type:

   fossil open repo.fossil
   nohup fossil server &


Are you running the commands above as root?  If so, Fossil will
automatically put itself in a chroot jail on the directory containing
the repository and drop root privileges before doing anything else.
This is a security feature.

If you are going into a chroot jail, probably /dev/null and
/dev/urandom are no longer in that chroot jail.  You can fix that by
running:

  mkdir dev
  mknod dev/null c 1 3
  mknod dev/urandom c 1 9

See also the "managing server load" heading of
http://fossil-scm.org/fossil/doc/trunk/www/server.wiki where it talks
about the importance of making /proc available inside the chroot jail
so that Fossil can determine the load average.

Or, you can use the --nojail option on the "fossil server" command, in
which case Fossil will still drop its root privilege but will not
attempt to form a chroot jail.  This is less secure, but probably
still plenty safe.


In /dev, there is:

   crw-rw-rw- 1 root root 1, 3 Apr 8 2016 null
   crw-rw-rw- 1 root root 1, 9 Apr 8 2016 urandom


If I clone the repository, modify something, commit the modification,
fossil says when trying to sync:

   Autosync:  http://xxx.xxx.xxx.xxx:8080
   Round-trips: 1  Artifacts sent: 0  received: 0
   Pull done, sent: 312  received: 328  ip: xxx.xxx.xxx.xxx
   New_Version: xxxxxxxxxxxxxxxxxxxx_hash_code_xxxxxxxxxxxxxxxxxxxxx
   Autosync:  http://xxx.xxx.xxx.xxx:8080
   Round-trips: 1  Artifacts sent: 2  received: 0
   Error: not authorized to write
   Round-trips: 1  Artifacts sent: 2  received: 0
   Sync done, sent: 759  received: 355  ip: xxx.xxx.xxx.xxx
   Autosync failed.

The repository has not been updated.

How to solve these problems?

Olivier
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users



--
D. Richard Hipp
d...@sqlite.org
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] /dev/null and /dev/urandom not available ?

Reply via email to