Are macports builds prevented from accessing /dev/random ?

Christopher Jones jonesc at
Tue Jun 13 22:18:00 UTC 2017

> On 13 Jun 2017, at 10:42 pm, Joshua Root <jmr at> wrote:
> On 2017-6-14 07:05 , Daniel J. Luke wrote:
>> On Jun 13, 2017, at 4:57 PM, Christopher Jones <jonesc at> wrote:
>>> :info:build open('/dev/random'): Operation not permitted
>>> Now, this works outside. So I suspect the build is in some way prevent the build process from accessing this. Is this possible ? If so, more to the point, is there a way I can get this to work… ?
>> I suspect the sandbox doesn't include access to /dev/random (Macports started using sandbox-exec with version 2.2.0)
>> As a temporary workaround (or to test this theory) you can add "sandbox_enable no" to your macports.conf
> Our sandbox only restricts writes. Seems like the program is opening /dev/random with O_RDWR? Writing to it is technically allowed (though I don't know that it does anything on darwin), so we should probably add it to the sandbox exceptions, but I'm not sure why it would be needed.

Had a look into this. The ROOT source never explicitly opens /dev/random in read/write mode. Only read only. 

However, it also uses a number of external library calls, like std::rand(), and my best bet is one of these is doing it. As writing to /dev/random is allowed, to update the entropy pool, I don’t think this in itself is an issue.

So is it OK to add /dev/random to the allowed locations for the sandbox ?

cheers Chris

> - Josh

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1910 bytes
Desc: not available
URL: <>

More information about the macports-dev mailing list