/dev/urandom", "/dev/null" is not available
(1) By TomaszDrozdz on 2019-07-26 13:14:33 [link] [source]
I have message:
WARNING: Device "/dev/null" is not available for reading and writing.
WARNING: Device "/dev/urandom" is not available for reading.
Why ?
(2) By Richard Hipp (drh) on 2019-07-26 14:16:07 in reply to 1 [link] [source]
SQLite wants access to /dev/urandom in order to seed its internal PRNG. The backoffice wants to open standard input and standard output on /dev/null to prevent problems.
Neither of these are absolutely required. But they do help things to run better and more securely.
(3) By Warren Young (wyoung) on 2019-07-26 18:23:24 in reply to 1 [source]
This is usually a symptom of having run Fossil as root, in which case it enters a chroot(2)
jail shortly after startup. (That's documented here.)
You can either:
Use
mknod(8)
to provide those dev nodes inside the jail.(There may be other things you need to provide inside the jail as well, but since I don't do this on my own servers, I can't come up with a list off the top of my head. It should probably be a section on the above-linked doc page.)
Don't run
fossil server
as root.If the reason you're doing that is so you can bind to a low-numbered TCP port, I'd recommend binding Fossil to a high-numbered static port instead. For LAN-only Fossil servers, I use 3691, being the old
svnserve
port number + 1. (I'm a Subversion refugee.) For Internet-facing servers, I use a semi-random port number and the--localhost
flag then put an HTTPS proxy in front of it to export that to the big bad world. The above doc has some ideas for this, including a link to my complicated and powerful nginx configuration. This not only solves the "port 80" problem, it properly secures the login process, prevents MITM attacks, and more.