Consistently use /dev/urandom instead of /dev/random in scripts and docs

Unbound code call /dev/urandom (see below)  but various docs and scripts
mention /dev/random which may be confusing.

https://github.com/NLnetLabs/unbound/blob/release-1.9.3/compat/arc4random.c#L107
https://github.com/NLnetLabs/unbound/blob/release-1.9.3/compat/getentropy_linux.c#L251
https://github.com/NLnetLabs/unbound/blob/release-1.9.3/compat/getentropy_osx.c
https://github.com/NLnetLabs/unbound/blob/release-1.9.3/compat/getentropy_solaris.c#L116

diff --git a/contrib/unbound.init b/contrib/unbound.init
index cccadeccf5b70a79287a451e67451b4391348538..c5bb52bb4d6926078df70eb99107a9f51b526474 100644 (file)
--- a/contrib/unbound.init
+++ b/contrib/unbound.init
@@ -54,10 +54,10 @@ start() {
        [ -e ${rootdir}/dev/log ] || touch ${rootdir}/dev/log
        mount --bind -n /dev/log ${rootdir}/dev/log >/dev/null 2>&1;
     fi;
-    if ! egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/random' /proc/mounts; then
+    if ! egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/urandom' /proc/mounts; then
        [ -d ${rootdir}/dev ] || mkdir -p ${rootdir}/dev ;
-       [ -e ${rootdir}/dev/random ] || touch ${rootdir}/dev/random
-       mount --bind -n /dev/random ${rootdir}/dev/random >/dev/null 2>&1;
+       [ -e ${rootdir}/dev/urandom ] || touch ${rootdir}/dev/urandom
+       mount --bind -n /dev/urandom ${rootdir}/dev/urandom >/dev/null 2>&1;
     fi;
 
     # if not running, start it up here
@@ -78,8 +78,8 @@ stop() {
     if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/log' /proc/mounts; then
        umount ${rootdir}/dev/log >/dev/null 2>&1
     fi;
-    if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/random' /proc/mounts; then
-       umount ${rootdir}/dev/random >/dev/null 2>&1
+    if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/urandom' /proc/mounts; then
+       umount ${rootdir}/dev/urandom >/dev/null 2>&1
     fi;
     return $retval
 }

diff --git a/contrib/unbound.init_fedora b/contrib/unbound.init_fedora
index 9f7e4422b21eb990f9829be34e39d033881a7e3d..989440341989e693250cf5e501a8e74b64af4fdb 100644 (file)
--- a/contrib/unbound.init_fedora
+++ b/contrib/unbound.init_fedora
@@ -42,7 +42,7 @@ start() {
            cp -fp /etc/localtime ${rootdir}/etc/localtime
        fi;
        mount --bind -n /dev/log ${rootdir}/dev/log >/dev/null 2>&1;
-       mount --bind -n /dev/random ${rootdir}/dev/random >/dev/null 2>&1;
+       mount --bind -n /dev/urandom ${rootdir}/dev/urandom >/dev/null 2>&1;
        mount --bind -n /var/run/unbound ${rootdir}/var/run/unbound >/dev/null 2>&1;
 
     # if not running, start it up here
@@ -58,7 +58,7 @@ stop() {
     killproc -p $pidfile unbound
     retval=$?
     [ $retval -eq 0 ] && rm -f $lockfile
-    for mountfile in /dev/log /dev/random /etc/localtime /etc/resolv.conf /var/run/unbound
+    for mountfile in /dev/log /dev/urandom /etc/localtime /etc/resolv.conf /var/run/unbound
     do
     if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}''${mountfile}'' /proc/mounts; then
        umount ${rootdir}$mountfile >/dev/null 2>&1

diff --git a/daemon/daemon.c b/daemon/daemon.c
index 96cc443ea3b2595758bb1f2a48678872664827bf..e09138cb133e04d8d5fccdb366b2c2b2d2bda0ce 100644 (file)
--- a/daemon/daemon.c
+++ b/daemon/daemon.c
@@ -248,7 +248,7 @@ daemon_init(void)
        /* init timezone info while we are not chrooted yet */
        tzset();
 #endif
-       /* open /dev/random if needed */
+       /* open /dev/urandom if needed */
        ub_systemseed((unsigned)time(NULL)^(unsigned)getpid()^0xe67);
        daemon->need_to_exit = 0;
        modstack_init(&daemon->mods);

diff --git a/dnscrypt/dnscrypt.c b/dnscrypt/dnscrypt.c
index 0787dec23ddbbe312fdd8f22d0144f8efe29452e..2b38a1cdbba8be123cfdf1164741f3e7ee4d8cf3 100644 (file)
--- a/dnscrypt/dnscrypt.c
+++ b/dnscrypt/dnscrypt.c
@@ -877,7 +877,7 @@ sodium_misuse_handler(void)
        fatal_exit(
                "dnscrypt: libsodium could not be initialized, this typically"
                " happens when no good source of entropy is found. If you run"
-               " unbound in a chroot, make sure /dev/random is available. See"
+               " unbound in a chroot, make sure /dev/urandom is available. See"
                " https://www.unbound.net/documentation/unbound.conf.html");
 }
 

diff --git a/doc/README b/doc/README
index a103888670271fdb8c44a81e571203aef1c3fa2a..b9366ffe6c8fc12091b585edcddcb05ae6764972 100644 (file)
--- a/doc/README
+++ b/doc/README
@@ -99,7 +99,7 @@ o If you are not receiving the correct source IP address on replies (e.g.
   the config file is an alternative. The interface-automatic option uses
   non portable socket options, Linux and FreeBSD should work fine.
 o The warning 'openssl has no entropy, seeding with time', with chroot 
-  enabled, may be solved with a symbolic link to /dev/random from <chrootdir>.
+  enabled, may be solved with a symbolic link to /dev/urandom from <chrootdir>.
 o On Solaris 5.10 some libtool packages from repositories do not work with
   gcc, showing errors gcc: unrecognized option `-KPIC'
   To solve this do ./configure libtool=./libtool [your options...].

diff --git a/doc/TODO b/doc/TODO
index bfeef4aa47bf60370ff5a7da72b86e647ae915e3..a2690451a2bbb9fc784d9f541cb5ec73dc31c394 100644 (file)
--- a/doc/TODO
+++ b/doc/TODO
@@ -29,7 +29,7 @@ o support OPT record placement on recv anywhere in the additional section.
 o add local-file: config with authority features.
 o (option) to make local-data answers be secure for libunbound (default=no)
 o (option) to make chroot: copy all needed files into jail (or make jail)
-       perhaps also print reminder to link /dev/random and sysloghack.
+       perhaps also print reminder to link /dev/urandom and sysloghack.
 o overhaul outside-network servicedquery to merge with udpwait and tcpwait,
   to make timers in servicedquery independent of udpwait queues.
 o check into rebinding ports for efficiency, configure time test.

diff --git a/doc/example.conf.in b/doc/example.conf.in
index c8f53cfe40f1d50ac0fbef9f85d41bc92d3812b8..9d8edbf9eade7be3c68c88127587d20154270a21 100644 (file)
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -286,7 +286,7 @@ server:
        # The pid file can be absolute and outside of the chroot, it is
        # written just prior to performing the chroot and dropping permissions.
        #
-       # Additionally, unbound may need to access /dev/random (for entropy).
+       # Additionally, unbound may need to access /dev/urandom (for entropy).
        # How to do this is specific to your OS.
        #
        # If you give "" no chroot is performed. The path must not end in a /.

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 5be74503af1493705ffe5371dbda35de682a78c9..b7ff7232638ae1d9fbd599bd0b2b96b1cbd214c6 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -50,7 +50,7 @@ server:
        username: unbound
        # make sure unbound can access entropy from inside the chroot.
        # e.g. on linux the use these commands (on BSD, devfs(8) is used):
-       #      mount \-\-bind \-n /dev/random /etc/unbound/dev/random
+       #      mount \-\-bind \-n /dev/urandom /etc/unbound/dev/urandom
        # and  mount \-\-bind \-n /dev/log /etc/unbound/dev/log
        chroot: "/etc/unbound"
        # logfile: "/etc/unbound/unbound.log"  #uncomment to use logfile.
@@ -633,7 +633,7 @@ to chroot and dropping permissions. This allows the pidfile to be
 Unbound is not able to remove the pidfile after termination when it is located
 outside of the chroot directory.
 .IP
-Additionally, unbound may need to access /dev/random (for entropy)
+Additionally, unbound may need to access /dev/urandom (for entropy)
 from inside the chroot.
 .IP
 If given a chroot is done to the given directory. By default chroot is