Bug#501497: apache2-utils: htpasswd may block indefinitely on /dev/random
Package: apache2-utils
Version: 2.2.9-7
Severity: minor
Greetings,
Having recently upgraded from a relatively old apache 1.3-era package I have found
a quick script I wrote to periodically syncronise passwords had become unreliable.
Further investigation reveals that htpasswd invoked from this script around 50 times
blocks for long periods. It previously took trivial time (very much less than one
second). Running strace, I see:
$ strace htpasswd -c -b testfile testuser testpass
[much output]
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
uname({sys="Linux", node="gamma", ...}) = 0
brk(0) = 0x804c000
brk(0x806d000) = 0x806d000
stat64("testfile", 0xbfb4f970) = -1 ENOENT (No such file or directory)
open("testfile", O_WRONLY|O_CREAT|O_LARGEFILE, 0666) = 3
close(3) = 0
open("/dev/random", O_RDONLY) = 3
read(3,
Clearly I'm entropy-starved. However, I'd question whether a tool such as htpasswd
cannot do with /dev/urandom. Delving into the code, it uses it to seed rand(3) so
it clearly does not use /dev/random for any purpose where pure entropy is required.
Previously it had used time(2) -- this change to use a blocking function in the APR
is the source of the regression.
Cheers,
Joseph
-- System Information:
Debian Release: lenny/sid
Architecture: i386 (i686)
Kernel: Linux 2.6.18-6-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages apache2-utils depends on:
ii libapr1 1.2.12-4 The Apache Portable Runtime Librar
ii libaprutil1 1.2.12+dfsg-8 The Apache Portable Runtime Utilit
ii libc6 2.7-13 GNU C Library: Shared libraries
ii libssl0.9.8 0.9.8g-13 SSL shared libraries
apache2-utils recommends no packages.
apache2-utils suggests no packages.
-- no debconf information
Reply to: