Why is /dev/urandom only readable by root since Ubuntu 12.04 and how can I "fix" it?

security linux permissions ubuntu filesystems

I used to work with Ubuntu 10.04 templates on a lot of servers. Since changing to 12.04 I have problems that I've now isolated.

The /dev/urandom device is only accessible to root.

This caused SSL engines, at least in PHP, for example file_get_contents(https://... to fail.

It also broke redmine.

After a chmod 644 it works fine, but that doesnt stay upon reboot.

So my question.

  1. why is this? I see no security risk because... i mean.. wanna steal some random data?

  2. How can I "fix" it? The servers are isolated and used by only one application, thats why I use openvz. I think about something like a runlevel script or so... but how do I do it efficiently? Maby with dpkg or apt?

  3. The same goes vor /dev/shm. in this case i totally understand why its not accessible, but I assume I can "fix" it the same way to fix /dev/urandom


Solution 1:

With excessive reading from udev, you can drain the random pool, resulting in predictable random numbers. Probably this is the reason why /dev/urandom is not available to read for everyone. (deleted because Graeme Donaldson is right)

In case you'd still like to change the permission,look into the udev rules responsible for setting modes on /dev/urandom, instead of messing up your init scripts.

Under Debian, it's easy to find the guilty rule:

$ dpkg -L udev | xargs grep urandom
/lib/udev/rules.d/91-permissions.rules:KERNEL=="urandom", MODE="0666"

In your case, MODE is definitely not 0666.

Change it according udev configuration rules, if you wish.

Note: http://lists.centos.org/pipermail/centos/2009-July/079134.html might help with changing udev.

You'll basically need to create a rule with looks like the grep result, except that is has a correct mode set, and add it as a rulefile in /etc/udev/rules.d/ (mind the possible differences in Ubuntu and Debian!)

Solution 2:

As for how you can fix it, a temporary band-aid would be to just

cat "chmod 666 /dev/urandom" >> /etc/rc.local

Solution 3:

actually the ubuntu 12.04 openvz template is now public and they fixed the permissions as well on the uraondm as on the shm device

Solution 4:

The problem that udevtrigger hasn't been started. Try to restart with /etc/init.d/udevtrigger restart... and if it solve the problem as for me... then change /etc/init/udevtrigger.conf file:

-     and not-container)
+     )

Related

Slow filesystem access
Active Directory: How does the computer logon process and the user logon process differ?
Nginx ssl - SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
AD Cross-forest authentication - groups missing from PAC
Give EC2 IAM role read access to S3 bucket
Starting IIS Manager has Web Platform Prompt
Vagrant synced folders aren't case sensitive
How to safely install a new IOS image on a Cisco device when the installed flash memory size isn't enough for two of them?
"Preparing Paste Information" when copying files on server using RDP
Why does yum index get corrupted?
Is it safe to delete redis dump and temp files from /var/lib/redis/
How does yum with Red Hat Network Subscription work inside the rhel Docker images?