I’ve got NextCloud 12 running on Ubuntu 16.04, and now am working through the Hardening and Security Guidance section of the Admin Manual. While it is a nice list of things to do, it could use more info on how to implement the guidance.
How do I verify that PHP has read access to /dev/urandom?
I don’t have a perfect idea, but it should give you a hint and therefor be applicable:
if you use/ set open_basedir in your php.ini you have to list/ define every directory that PHP should be allowed to access
you can enter your nextcloud and your NC data folder there
don’t enter /dev/urandom for now
access nextcloud and notice the error message (in nextcloud.log if I remember correctly) that access to /dev/urandom is not allow and that you have to define it in open_basedir
Then you know that it is actually used. Afterwards you add /dev/urandom to the open_basedir and watch the error message disappear.
Thank you very much for the idea. It was extremely helpful.
I enabled open_basedir, and only included the nextcloud directory and the log directory (the data directory was inside the nextcloud directory, so would be included with it). I found nothing in the logs about not being able to read /dev/urandom, but there was a red message about /dev/urandom in the web interface in the Security & setup warnings section, at the top of the Basic settings.
I added /dev/random to open_basedir, restarted php-fpm, and the complaint in the Security & setup warnings section disappeared. This seems to confirm that NextCloud thinks that /dev/urandom is readable, which is about as close as I think I can get to confirming PHP has read access to it.
I’ll experiment with leaving open_basedir set, as it should increase security, in theory. I’ll keep an eye on the logs, to see if there are any messages about unreadable directories or files.
Oh yes, you are right: it was the section “Security & Setup Warnings” then. I just wasn’t sure about that.
And yeah, I see this as a good indication that Nextcloud uses /dev/urandom as well.