Why is /dev/urandom only readable by root since Ubuntu 12.04 and how can I "fix" it?
I used to work with Ubuntu 10.04 templates on a lot of servers. Since changing to 12.04 I have problems that I've now isolated.
The /dev/urandom device is only accessible to root.
This caused SSL engines, at least in PHP, for example file_get_contents(https://... to fail.
It also broke redmine.
After a chmod 644 it works fine, but that doesnt stay upon reboot.
So my question.
why is this? I see no security risk because... i mean.. wanna steal some random data?
How can I "fix" it? The servers are isolated and used by only one application, thats why I use openvz. I think about something like a runlevel script or so... but how do I do it efficiently? Maby with dpkg or apt?
The same goes vor /dev/shm. in this case i totally understand why its not accessible, but I assume I can "fix" it the same way to fix /dev/urandom
Solution 1:
With excessive reading from udev, you can drain the random pool, resulting in predictable random numbers. Probably this is the reason why /dev/urandom is not available to read for everyone. (deleted because Graeme Donaldson is right)
In case you'd still like to change the permission,look into the udev rules responsible for setting modes on /dev/urandom, instead of messing up your init scripts.
Under Debian, it's easy to find the guilty rule:
$ dpkg -L udev | xargs grep urandom
/lib/udev/rules.d/91-permissions.rules:KERNEL=="urandom", MODE="0666"
In your case, MODE is definitely not 0666.
Change it according udev configuration rules, if you wish.
Note: http://lists.centos.org/pipermail/centos/2009-July/079134.html might help with changing udev.
You'll basically need to create a rule with looks like the grep result, except that is has a correct mode set, and add it as a rulefile in /etc/udev/rules.d/ (mind the possible differences in Ubuntu and Debian!)
Solution 2:
As for how you can fix it, a temporary band-aid would be to just
cat "chmod 666 /dev/urandom" >> /etc/rc.local
Solution 3:
actually the ubuntu 12.04 openvz template is now public and they fixed the permissions as well on the uraondm as on the shm device
Solution 4:
The problem that udevtrigger hasn't been started.
Try to restart with /etc/init.d/udevtrigger restart
... and if it solve the problem as for me... then change /etc/init/udevtrigger.conf file:
- and not-container)
+ )