Urandom and Random using Mcrypt

[Beanow]

On a lot of Linux servers I noticed that using fopen to get /dev/random or /dev/urandom data does not work because of open_basedir restrictions.

One way of bypassing this is using Mcrypt.
Consider adding a closure that can use this.

Example code:

if(function_exists('mcrypt_create_iv') && defined('MCRYPT_DEV_URANDOM')){
  $str = mcrypt_create_iv($bytes, MCRYPT_DEV_URANDOM);
  if($str !== false)
    return $str;
}

[ircmaxell]

An additional mcrypt source (or two) can definitely be added. I wouldn't "replace" the dev/(u)random sources, but augment them.

Additionally, if security is a concern, the server wouldn't be running openbasedir, but instead would be running a chroot jail.

[Beanow]

Yes using it as an augmentation was what I had in mind and is how I implemented it as well. In my case giving priority to the Mcrypt variant, because it's code will be more scrutinized than anything I ever wrote. :P

I agree the chroot jail would be better than open_basedir as far as security is concerned, but I suggested it mostly with shared hosting in mind where you'll just have to deal with what's available. And often direct reading access to these files is not part of it, while Mcrypt is a requirement for many utilities and requires less configuration so it's likely to be available on shared hosting.

[remicollet]

Everything using "mcryp" is just a bad idea.
This is now deprecated and will be remove in 7.2

[ircmaxell]

Honestly, I trust mcrypt more than I do OpenSSL, having read the source code of both. Note: that's not an endorsement of mcrypt, but a hit on OpenSSL.