我可以访问/ dev / urandom与open_basedir有效吗？ [英] Can I access /dev/urandom with open_basedir in effect?

问题描述

我想在Codeigniter中使用phpass-0.3，但由于 open_basedir ，我收到以下错误：

< >

遇到PHP错误严重度：警告_
消息：is_readable（）[function.is-readable]：open_basedir
限制生效。文件（/ dev / urandom）不在允许的
路径内：（/ home / phginep：/ usr / lib / php：/ usr / local / lib / php：/ tmp）

文件名：phpass-0.3 / PasswordHash.phppris行号：51Ú

以下代码：

  function get_random_bytes（$ count）
 {
 $ output =''; 
 if（is_readable（'/ dev / urandom'）&& // Line Number：51 
（$ fh = @fopen（'/ dev / urandom'，'rb'）））{ 
 $ output = fread（$ fh，$ count）; 
 fclose（$ fh）; 
} 
 
 if（strlen（$ output）< $ count）{
 $ output =''; 
 for（$ i = 0; $ i <$ count; $ i + = 16）{
 $ this-> random_state = 
 md5（microtime（）。$ this-> ; random_state）; 
 $ output。= 
 pack（'H *'，md5（$ this-> random_state））; 
} 
 $ output = substr（$ output，0，$ count）; 
} 
 
 return $ output; 
} 
  

我能做些什么来解决这个问题吗？

解决方案

这里有一些选项：

1 - 从真RNG （这一个提供从基于放射性衰变的转储），并使用，只要确保你不继续阅读相同nn字节。种类笨重，但是一个选项。

2 - PHP执行从 / dev / urandom （UGLY）

3 - 回到 mt_rand（）（也很丑陋， this done）：

  for（$ i = 0; $ i< $ count / 8; $ i ++）{
 $ output。= dechex（mt_rand（0，0x7fffffff））; 
} 
  

不幸的是，所有的选项都很笨拙。最好的办法是确保你不必处理 open_basedir 。

最后 - 不太可能与您的主机一起飞行，但也许值得一试： p>

您可以要求您的主机在您的主目录中提供 urandom ，以便您阅读。告诉他们您需要访问urandom以生成随机数，以便为您的用户提供更好的安全性，然后要求他们运行：

  mknod urandom c 1 9 
  

在您的主目录中。我只是试图在我自己的服务器，它的工作（但根需要为你做）。有没有实际的理由阻止你使用系统的伪随机数生成器，你可以使用除了PHP之外的任何东西。这实际上是让他们访问 urandom 的最简单的方法，因为它在PHP或vhost配置中不需要任何异常。

不允许访问 / dev / random 是一个合理的事情，因为 / dev / random 必须由可用的（新的）系统熵补充，并且可能导致在读取时阻塞的重要事情，如果耗尽，这可能在低流量服务器上经常发生。但是， / dev / urandom 确保永远不会阻塞，因为它只是重用了内部熵池一旦耗尽，这就是为什么它是一个质量较差的来源。

请注意

我不是在说<$ c> $ c> open_basedir 是一个坏的，但它也打破了好的代码。一个经典的 chroot 是更好，但更难，这就是为什么你遇到 open_basedir 比你做一个真正的chroot。至少，任何程序都应该能够访问 null ， zero 和 urandom 设备。

I want to use phpass-0.3 in Codeigniter, but I get the following error due to open_basedir:

A PHP Error was encountered
Severity: Warning
Message: is_readable() [function.is-readable]: open_basedir restriction in effect. File(/dev/urandom) is not within the allowed path(s): (/home/phginep:/usr/lib/php:/usr/local/lib/php:/tmp)
Filename: phpass-0.3/PasswordHash.php
Line Number: 51

Following code:

function get_random_bytes($count)
{
    $output = '';
    if (is_readable('/dev/urandom') &&    //Line Number: 51
        ($fh = @fopen('/dev/urandom', 'rb'))) {
        $output = fread($fh, $count);
        fclose($fh);
    }

    if (strlen($output) < $count) {
        $output = '';
        for ($i = 0; $i < $count; $i += 16) {
            $this->random_state =
                md5(microtime() . $this->random_state);
            $output .=
                pack('H*', md5($this->random_state));
        }
        $output = substr($output, 0, $count);
    }

    return $output;
}

Is there anything I can do to get around this?

解决方案

You have some options here:

1 - Download a dump from a true RNG (this one offers dumps from one based on radioactive decay) and use that, just be sure that you don't keep reading the same nn bytes. Kind of clunky, but an option.

2 - Have PHP execute something that reads from /dev/urandom on its behalf (UGLY)

3 - Fall back on mt_rand() (Also ugly, but I've seen this done):

 for ($i = 0; $i < $count / 8; $i++) {
   $output .= dechex(mt_rand(0, 0x7fffffff));
 }

All options are clunky and ugly, unfortunately. The best thing to do would be sure that you don't have to deal with open_basedir. Still, this particular annoyance could be worked around.

Finally - not likely to fly with your host, but perhaps worth a try:

You can ask your host to provide urandom in your home directory so you can read it. Tell them you need to access urandom to generate random numbers so you can provide better security for your users, then ask them to run:

mknod urandom c 1 9

In your home directory. I just tried it on my own server, it works (but root needs to do it for you). There is no practical reason to keep you from using the system's pseudo random number generator, which you could do otherwise with anything other than PHP. This is actually the easiest way for them to let you have access to urandom because it requires no exceptions in the PHP or vhost configuration for you.

Disallowing access to /dev/random is a reasonable thing to do, since /dev/random must be replenished by available (new) system entropy and might cause important things to block on read if exhausted which could happen often on low traffic servers. However, /dev/urandom is guaranteed to never block since it just reuses the internal entropy pool once exhausted, which is why it's a lesser quality source.

Note

I'm not saying the idea of open_basedir is a bad one, but it breaks good code too. A classic chroot is much better, but harder, which is why you run into open_basedir much more than you do a real chroot. At the minimum, any program should be able to access the null, zero and urandom devices on a server.

这篇关于我可以访问/ dev / urandom与open_basedir有效吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！