How to check that php can use /dev/urandom?

I’ve got NextCloud 12 running on Ubuntu 16.04, and now am working through the Hardening and Security Guidance section of the Admin Manual. While it is a nice list of things to do, it could use more info on how to implement the guidance.

How do I verify that PHP has read access to /dev/urandom?




I don’t have a perfect idea, but it should give you a hint and therefor be applicable:

  • if you use/ set open_basedir in your php.ini you have to list/ define every directory that PHP should be allowed to access
  • you can enter your nextcloud and your NC data folder there
  • don’t enter /dev/urandom for now
  • access nextcloud and notice the error message (in nextcloud.log if I remember correctly) that access to /dev/urandom is not allow and that you have to define it in open_basedir

Then you know that it is actually used. Afterwards you add /dev/urandom to the open_basedir and watch the error message disappear.

Thank you very much for the idea. It was extremely helpful.

I enabled open_basedir, and only included the nextcloud directory and the log directory (the data directory was inside the nextcloud directory, so would be included with it). I found nothing in the logs about not being able to read /dev/urandom, but there was a red message about /dev/urandom in the web interface in the Security & setup warnings section, at the top of the Basic settings.

I added /dev/random to open_basedir, restarted php-fpm, and the complaint in the Security & setup warnings section disappeared. This seems to confirm that NextCloud thinks that /dev/urandom is readable, which is about as close as I think I can get to confirming PHP has read access to it.

I’ll experiment with leaving open_basedir set, as it should increase security, in theory. I’ll keep an eye on the logs, to see if there are any messages about unreadable directories or files.

1 Like

Oh yes, you are right: it was the section “Security & Setup Warnings” then. I just wasn’t sure about that.
And yeah, I see this as a good indication that Nextcloud uses /dev/urandom as well.