couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Smith (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (COUCHDB-1656) Anonymous Users and Non-Admins Can Read the Security Object
Date Mon, 28 Jan 2013 09:49:12 GMT

    [ https://issues.apache.org/jira/browse/COUCHDB-1656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13564159#comment-13564159
] 

Jason Smith commented on COUCHDB-1656:
--------------------------------------

Only admins can edit design documents, but all users can read them. There is nothing in databases
which are only visible to admins, so far. As a RESTful web service, if Couch lets me read
/some_db then it also lets me read /some_db/*.

If only admins can see _security, that would be the first time in CouchDB history (depending
how you count system DBs) where I can read a database but not some parts inside it.

I like the patch too, but this is a big change to the security model. I'd just like to think
this through carefully. With this patch, I could set

_security = {admins:..., members:..., ok_role:"some_role"}

and validate_doc_update =

function(newDoc, oldDoc, userCtx, secObj) {
  var has_the_role = ~userCtx.roles.indexOf(secObj.ok_role)
  return has_the_role
}

This is just restating my point that, with this patch, there are more secrets to think about
in the security system. Used to be, the _user document was the secret. Nothing else. Now we
have more secrets which interact in some complex way.

As a minor point, if we *do* take this patch, and if people *do* write validators that depend
on this feature, then the validation function will leak information about _security. People
can try variations on document data and user accounts (couch still lets you "sign up" without
limitation) and learn some things about _security. This is a theoretical secrecy leak but
it's worth identifying.
                
> Anonymous Users and Non-Admins Can Read the Security Object
> -----------------------------------------------------------
>
>                 Key: COUCHDB-1656
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1656
>             Project: CouchDB
>          Issue Type: Bug
>          Components: Database Core
>            Reporter: Klaus Trainer
>         Attachments: 0001-Don-t-give-non-admins-read-access-to-db-_security.patch
>
>
> It is possible that anonymous users are able to read a DB's security object if the security
object's `members` array is empty or missing. Also, it is generally possible for authenticated
members (non-admin users) to read  the security object.
> Only admin users should be allowed to read the security object.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message