Warnings (read/password) during installation of dcc-common
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dcc (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: dcc-common
Just installed dcc-server on Feisty for test purposes, which depends on dcc-common. During configuration of dcc-common, the following warnings are output. I didn't check whether the functionality is o.k., just wanted to report the installation issues.
# apt-get install dcc-server
[...]
Setting up dcc-common (1.3.42-4) ...
Adding system group: dcc.
Adding group `dcc' (GID 128) ...
Done.
Adding system user: dcc.
Adding system user `dcc' (UID 104) ...
Adding new user `dcc' (UID 104) with group `dcc' ...
Not creating home directory `/var/lib/dcc'.
read: 65: Illegal option -n
Warning, no random device found, password might be insecure
read: 65: Illegal option -n
Warning, no random device found, password might be insecure
Updating DCC map.
description: | updated |
The warnings are printed because dcc-common.postinst uses /bin/sh as shell, which is dash in Feisty and not bash.
Bash understands option "-n" for the read command, while dash doesn't.
Because of the failing read, /dev/urandom is not used as random source, but instead the 'ps ax' output is used; therefore the warning about the potentially insecure password.
Suggestion to fix this:
Instead of testing the readability of /dev/urandom in line 6 of dcc-common.postinst with
if ! read -n 0 < $RANDOMDEVICE ; then
which tries to read zero characters, one could use the readability test
if [ ! -r "$RANDOMDEVICE" ]; then
Maybe the security of the generated passwords can be discussed anyway, because the output of /dev/urandom or "ps ax" is piped through 'cksum' later on which will produce predictable output (the last 4 characters will be 'x120' usually for /dev/urandom input). This is not a great issue because the leading checksum is about 9 or 10 characters and probably as unpredictable as the used random source. postinst.
An alternative to generate the passwords by some script mimic would be to depend on the package pwgen and use e.g. "`pwgen -cns 10`" in lines 34/35 of dcc-common.