[Fusionforge-commits] r10248 - branches/Branch_5_0/gforge branches/Branch_5_0/gforge/debian/dsf-helper branches/Branch_5_0/gforge/debian/dsf-in trunk/src trunk/src/debian/dsf-helper trunk/src/debian/dsf-in

Thorsten Glaser mirabilos at libremir.placard.fr.eu.org
Fri Jul 16 10:15:49 CEST 2010


Author: mirabilos
Date: 2010-07-16 10:15:48 +0200 (Fri, 16 Jul 2010)
New Revision: 10248

Modified:
   branches/Branch_5_0/gforge/debian/dsf-helper/create-random-pw.config
   branches/Branch_5_0/gforge/debian/dsf-in/web-apache2.postinst.dsfh-in
   branches/Branch_5_0/gforge/setup
   trunk/src/debian/dsf-helper/create-random-pw.config
   trunk/src/debian/dsf-in/common.postinst
   trunk/src/debian/dsf-in/web-apache2.postinst.dsfh-in
   trunk/src/fusionforge.spec
   trunk/src/setup
Log:
prevent easy depletion of kernel entropy pool

The Linux RNG is relatively weak: reads from /dev/urandom can
deplete the pool very quickly so reads from /dev/random after-
wards will stall, possibly infinitively, and there?\226?\128?\153s no, for
example, /dev/arandom like on some BSDs.

Also, bs=8 count=1 ?\226?\137?\160 bs=1 count=8, because for the random de-
vices, each read request ?\226?\128?\156eats up?\226?\128?\157 a set amount of entropy
to generate a block of output, which will then be truncated
down to the length requested (8 or 1 byte(s), respectively),
so ?\226?\128?\156bs=1 count=8?\226?\128?\157 will use up eight times the entropy from
the kernel pool than ?\226?\128?\156bs=8 count=1?\226?\128?\157 does.


Modified: branches/Branch_5_0/gforge/debian/dsf-helper/create-random-pw.config
===================================================================
--- branches/Branch_5_0/gforge/debian/dsf-helper/create-random-pw.config	2010-07-16 08:15:23 UTC (rev 10247)
+++ branches/Branch_5_0/gforge/debian/dsf-helper/create-random-pw.config	2010-07-16 08:15:48 UTC (rev 10248)
@@ -1,6 +1,6 @@
 gen_random_pw () {		# Generate a random password
     if [ -c /dev/urandom ]; then  # ...using /dev/urandom when possible
-	tmp=$(dd if=/dev/urandom count=256 bs=1 2> /dev/null | md5sum | cut -b1-8)
+	tmp=$(dd if=/dev/urandom count=1 bs=8 2> /dev/null | md5sum | cut -b1-8)
     else			# ...or something else if need be.
 	# Last I was told, the Hurd had no /dev/urandom
 	# (Correct me if it has changed)

Modified: branches/Branch_5_0/gforge/debian/dsf-in/web-apache2.postinst.dsfh-in
===================================================================
--- branches/Branch_5_0/gforge/debian/dsf-in/web-apache2.postinst.dsfh-in	2010-07-16 08:15:23 UTC (rev 10247)
+++ branches/Branch_5_0/gforge/debian/dsf-in/web-apache2.postinst.dsfh-in	2010-07-16 08:15:48 UTC (rev 10248)
@@ -30,11 +30,11 @@
 case "$1" in
     configure)
 	if [ -c /dev/urandom ]; then  # ...using /dev/urandom when possible
-	    sys_session_key=$(dd if=/dev/urandom count=256 bs=1 2> /dev/null | md5sum | cut -b1-32)
+	    sys_session_key=$(dd if=/dev/urandom count=1 bs=16 2> /dev/null | md5sum | cut -b1-32)
 	else			# ...or something else if need be.
 	    # Last I was told, the Hurd had no /dev/urandom
 	    # (Correct me if it has changed)
-	    sys_session_key=$(dd if=/dev/random count=256 bs=1 2> /dev/null | md5sum | cut -b1-32)
+	    sys_session_key=$(dd if=/dev/random count=1 bs=8 2> /dev/null | md5sum | cut -b1-32)
 	fi
 	add_onevar_mainconfile sys_session_key $sys_session_key
 	add_onevar_mainconfile sys_show_source 0

Modified: branches/Branch_5_0/gforge/setup
===================================================================
--- branches/Branch_5_0/gforge/setup	2010-07-16 08:15:23 UTC (rev 10247)
+++ branches/Branch_5_0/gforge/setup	2010-07-16 08:15:48 UTC (rev 10248)
@@ -20,7 +20,7 @@
 	DEFAULTdb_port=5432
 	DEFAULTdb_name=gforge
 	DEFAULTdb_user=gforge
-	DEFAULTdb_password=$(dd if=/dev/urandom count=256 bs=1 2> /dev/null | md5sum | cut -b1-8)
+	DEFAULTdb_password=$(dd if=/dev/urandom count=1 bs=8 2> /dev/null | md5sum | cut -b1-8)
 	DEFAULTip_address=`hostname -i`
 	DEFAULTscm_host=scm.$DEFAULTdomain_name
 	DEFAULTshell_host=shell.$DEFAULTdomain_name
@@ -42,12 +42,12 @@
 	DEFAULTpeerrating_groupid=4
 	DEFAULTtemplate_project=5
 	DEFAULTadmin_login=admin
-	DEFAULTadmin_password=$(dd if=/dev/urandom count=256 bs=1 2> /dev/null | md5sum | cut -b1-8)
+	DEFAULTadmin_password=$(dd if=/dev/urandom count=1 bs=8 2> /dev/null | md5sum | cut -b1-8)
 	DEFAULTskill_list="Ada;C;C++;HTML;LISP;Perl;PHP;Python;SQL"
 	DEFAULTdefault_trove_cat=18
 	DEFAULTldap_host=localhost
 	DEFAULTldap_base_dn="dc=`echo $DEFAULTdomain_name | sed 's/\./,dc=/g'`"
-	DEFAULTldap_web_add_password=$(dd if=/dev/urandom count=256 bs=1 2> /dev/null | md5sum | cut -b1-8)
+	DEFAULTldap_web_add_password=$(dd if=/dev/urandom count=1 bs=8 2> /dev/null | md5sum | cut -b1-8)
 	DEFAULTsys_path_to_mailman=$(if test -d /usr/lib/mailman; then echo /usr/lib/mailman; else echo /var/mailman; fi)
 	DEFAULTcgidir=$CGIDIR
 	DEFAULTcronolog_path=$(findcronolog)
@@ -64,14 +64,14 @@
 	# The place where file uploaded with http are stored for download
 	DEFAULTuploaddir=$GFGDIR/var/lib/gforge/download/
 	DEFAULTsys_urlroot=$SHAREDIR/www/
-	DEFAULTsys_jabber_pass=$(dd if=/dev/urandom count=256 bs=1 2> /dev/null | md5sum | cut -b1-8)
+	DEFAULTsys_jabber_pass=$(dd if=/dev/urandom count=1 bs=8 2> /dev/null | md5sum | cut -b1-8)
 	DEFAULTusr_share_gforge=$SHAREDIR
 	DEFAULTusr_lib_gforge=$LIBDIR
 	DEFAULTvar_lib_gforge=$GFGDIR/var/lib/gforge
 	DEFAULTvar_log_gforge=$GFGDIR/var/log/gforge
 	DEFAULTsys_show_source=0
 	DEFAULTsys_force_login=0
-	DEFAULTsys_session_key=$(dd if=/dev/urandom count=256 bs=1 2> /dev/null | md5sum | cut -b1-32)
+	DEFAULTsys_session_key=$(dd if=/dev/urandom count=1 bs=16 2> /dev/null | md5sum | cut -b1-32)
 	DEFAULTsys_session_expire='60 * 60 * 24 * 7'
 	DEFAULTsys_show_contact_info=1
 	DEFAULTsys_themeroot=$SHAREDIR/www/themes/
@@ -121,7 +121,7 @@
 	DEFAULTsys_require_accept_conditions=false
 	DEFAULTsys_require_unique_email=false
 	DEFAULTsys_localinc=$ETCDIR/local.inc
-	DEFAULTsys_jabber_pass=$(dd if=/dev/urandom count=256 bs=1 2> /dev/null | md5sum | cut -b1-8)
+	DEFAULTsys_jabber_pass=$(dd if=/dev/urandom count=1 bs=8 2> /dev/null | md5sum | cut -b1-8)
 	DEFAULTsys_plugins_path=$SHAREDIR/plugins/
 	DEFAULTsys_sslcrt=$(findcrt)
 	DEFAULTsys_sslkey=$(findkey)

Modified: trunk/src/debian/dsf-helper/create-random-pw.config
===================================================================
--- trunk/src/debian/dsf-helper/create-random-pw.config	2010-07-16 08:15:23 UTC (rev 10247)
+++ trunk/src/debian/dsf-helper/create-random-pw.config	2010-07-16 08:15:48 UTC (rev 10248)
@@ -1,6 +1,6 @@
 gen_random_pw () {		# Generate a random password
     if [ -c /dev/urandom ]; then  # ...using /dev/urandom when possible
-	tmp=$(dd if=/dev/urandom count=256 bs=1 2> /dev/null | md5sum | cut -b1-8)
+	tmp=$(dd if=/dev/urandom count=1 bs=8 2> /dev/null | md5sum | cut -b1-8)
     else			# ...or something else if need be.
 	# Last I was told, the Hurd had no /dev/urandom
 	# (Correct me if it has changed)

Modified: trunk/src/debian/dsf-in/common.postinst
===================================================================
--- trunk/src/debian/dsf-in/common.postinst	2010-07-16 08:15:23 UTC (rev 10247)
+++ trunk/src/debian/dsf-in/common.postinst	2010-07-16 08:15:48 UTC (rev 10248)
@@ -47,7 +47,7 @@
 	    if [ ! -e /etc/gforge/config.ini.d/debian-install-secrets.ini ] ; then
 		t=$(mktemp /etc/gforge/config.ini.d/debian-install-secrets.ini.XXXXXX)
 		if [ -c /dev/urandom ]; then  # ...using /dev/urandom when possible
-		    pw=$(dd if=/dev/urandom count=256 bs=1 2> /dev/null | md5sum | cut -c-32)
+		    pw=$(dd if=/dev/urandom count=1 bs=16 2> /dev/null | md5sum | cut -c-32)
 		else		# ...or something else if need be.
 		    pw=$(date +"%s:%N" | md5sum | cut -c-32)
 		fi

Modified: trunk/src/debian/dsf-in/web-apache2.postinst.dsfh-in
===================================================================
--- trunk/src/debian/dsf-in/web-apache2.postinst.dsfh-in	2010-07-16 08:15:23 UTC (rev 10247)
+++ trunk/src/debian/dsf-in/web-apache2.postinst.dsfh-in	2010-07-16 08:15:48 UTC (rev 10248)
@@ -30,11 +30,11 @@
 case "$1" in
     configure)
 	if [ -c /dev/urandom ]; then  # ...using /dev/urandom when possible
-	    sys_session_key=$(dd if=/dev/urandom count=256 bs=1 2> /dev/null | md5sum | cut -b1-32)
+	    sys_session_key=$(dd if=/dev/urandom count=1 bs=16 2> /dev/null | md5sum | cut -b1-32)
 	else			# ...or something else if need be.
 	    # Last I was told, the Hurd had no /dev/urandom
 	    # (Correct me if it has changed)
-	    sys_session_key=$(dd if=/dev/random count=256 bs=1 2> /dev/null | md5sum | cut -b1-32)
+	    sys_session_key=$(dd if=/dev/random count=1 bs=8 2> /dev/null | md5sum | cut -b1-32)
 	fi
 	add_onevar_mainconfile sys_session_key $sys_session_key
 	add_onevar_mainconfile sys_show_source 0

Modified: trunk/src/fusionforge.spec
===================================================================
--- trunk/src/fusionforge.spec	2010-07-16 08:15:23 UTC (rev 10247)
+++ trunk/src/fusionforge.spec	2010-07-16 08:15:48 UTC (rev 10248)
@@ -536,7 +536,7 @@
 	/etc/init.d/httpd restart >/dev/null 2>&1
 
 	# generate random hash for session_key
-	HASH=$(/bin/dd if=/dev/urandom bs=1024 count=100 2>/dev/null | /usr/bin/sha1sum | cut -c1-40)
+	HASH=$(/bin/dd if=/dev/urandom bs=32 count=1 2>/dev/null | /usr/bin/sha1sum | cut -c1-40)
 	%{__sed} -i -e "s/sys_session_key = 'foobar'/sys_session_key = '$HASH'/g" %{GFORGE_CONF_DIR}/local.inc
 
 	# add noreply mail alias

Modified: trunk/src/setup
===================================================================
--- trunk/src/setup	2010-07-16 08:15:23 UTC (rev 10247)
+++ trunk/src/setup	2010-07-16 08:15:48 UTC (rev 10248)
@@ -20,7 +20,7 @@
 	DEFAULTdb_port=
 	DEFAULTdb_name=gforge
 	DEFAULTdb_user=gforge
-	DEFAULTdb_password=$(dd if=/dev/urandom count=256 bs=1 2> /dev/null | md5sum | cut -b1-8)
+	DEFAULTdb_password=$(dd if=/dev/urandom count=1 bs=8 2> /dev/null | md5sum | cut -b1-8)
 	DEFAULTip_address=`hostname -i | cut -d' ' -f1`
 	DEFAULTscm_host=scm.$DEFAULTdomain_name
 	DEFAULTshell_host=shell.$DEFAULTdomain_name
@@ -42,12 +42,12 @@
 	DEFAULTpeerrating_groupid=4
 	DEFAULTtemplate_project=5
 	DEFAULTadmin_login=admin
-	DEFAULTadmin_password=$(dd if=/dev/urandom count=256 bs=1 2> /dev/null | md5sum | cut -b1-8)
+	DEFAULTadmin_password=$(dd if=/dev/urandom count=1 bs=8 2> /dev/null | md5sum | cut -b1-8)
 	DEFAULTskill_list="Ada;C;C++;HTML;LISP;Perl;PHP;Python;SQL"
 	DEFAULTdefault_trove_cat=18
 	DEFAULTldap_host=localhost
 	DEFAULTldap_base_dn="dc=`echo $DEFAULTdomain_name | sed 's/\./,dc=/g'`"
-	DEFAULTldap_web_add_password=$(dd if=/dev/urandom count=256 bs=1 2> /dev/null | md5sum | cut -b1-8)
+	DEFAULTldap_web_add_password=$(dd if=/dev/urandom count=1 bs=8 2> /dev/null | md5sum | cut -b1-8)
 	DEFAULTsys_path_to_mailman=$(if test -d /usr/lib/mailman; then echo /usr/lib/mailman; else echo /var/mailman; fi)
 	DEFAULTcgidir=$CGIDIR
 	DEFAULTcronolog_path=$(findcronolog)
@@ -64,14 +64,14 @@
 	# The place where file uploaded with http are stored for download
 	DEFAULTuploaddir=$GFGDIR/var/lib/gforge/download/
 	DEFAULTsys_urlroot=$SHAREDIR/www/
-	DEFAULTsys_jabber_pass=$(dd if=/dev/urandom count=256 bs=1 2> /dev/null | md5sum | cut -b1-8)
+	DEFAULTsys_jabber_pass=$(dd if=/dev/urandom count=1 bs=8 2> /dev/null | md5sum | cut -b1-8)
 	DEFAULTusr_share_gforge=$SHAREDIR
 	DEFAULTusr_lib_gforge=$LIBDIR
 	DEFAULTvar_lib_gforge=$GFGDIR/var/lib/gforge
 	DEFAULTvar_log_gforge=$GFGDIR/var/log/gforge
 	DEFAULTsys_show_source=0
 	DEFAULTsys_force_login=0
-	DEFAULTsys_session_key=$(dd if=/dev/urandom count=256 bs=1 2> /dev/null | md5sum | cut -b1-32)
+	DEFAULTsys_session_key=$(dd if=/dev/urandom count=1 bs=16 2> /dev/null | md5sum | cut -b1-32)
 	DEFAULTsys_session_expire='60 * 60 * 24 * 7'
 	DEFAULTsys_show_contact_info=1
 	DEFAULTsys_themeroot=$SHAREDIR/www/themes/
@@ -122,7 +122,7 @@
 	DEFAULTsys_require_accept_conditions=false
 	DEFAULTsys_require_unique_email=false
 	DEFAULTsys_localinc=$ETCDIR/local.inc
-	DEFAULTsys_jabber_pass=$(dd if=/dev/urandom count=256 bs=1 2> /dev/null | md5sum | cut -b1-8)
+	DEFAULTsys_jabber_pass=$(dd if=/dev/urandom count=1 bs=8 2> /dev/null | md5sum | cut -b1-8)
 	DEFAULTsys_plugins_path=$SHAREDIR/plugins/
 	DEFAULTsys_sslcrt=$(findcrt)
 	DEFAULTsys_sslkey=$(findkey)




More information about the Fusionforge-commits mailing list