couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Smith (JIRA)" <>
Subject [jira] [Commented] (COUCHDB-1656) Anonymous Users and Non-Admins Can Read the Security Object
Date Mon, 28 Jan 2013 09:49:12 GMT


Jason Smith commented on COUCHDB-1656:

Only admins can edit design documents, but all users can read them. There is nothing in databases
which are only visible to admins, so far. As a RESTful web service, if Couch lets me read
/some_db then it also lets me read /some_db/*.

If only admins can see _security, that would be the first time in CouchDB history (depending
how you count system DBs) where I can read a database but not some parts inside it.

I like the patch too, but this is a big change to the security model. I'd just like to think
this through carefully. With this patch, I could set

_security = {admins:..., members:..., ok_role:"some_role"}

and validate_doc_update =

function(newDoc, oldDoc, userCtx, secObj) {
  var has_the_role = ~userCtx.roles.indexOf(secObj.ok_role)
  return has_the_role

This is just restating my point that, with this patch, there are more secrets to think about
in the security system. Used to be, the _user document was the secret. Nothing else. Now we
have more secrets which interact in some complex way.

As a minor point, if we *do* take this patch, and if people *do* write validators that depend
on this feature, then the validation function will leak information about _security. People
can try variations on document data and user accounts (couch still lets you "sign up" without
limitation) and learn some things about _security. This is a theoretical secrecy leak but
it's worth identifying.
> Anonymous Users and Non-Admins Can Read the Security Object
> -----------------------------------------------------------
>                 Key: COUCHDB-1656
>                 URL:
>             Project: CouchDB
>          Issue Type: Bug
>          Components: Database Core
>            Reporter: Klaus Trainer
>         Attachments: 0001-Don-t-give-non-admins-read-access-to-db-_security.patch
> It is possible that anonymous users are able to read a DB's security object if the security
object's `members` array is empty or missing. Also, it is generally possible for authenticated
members (non-admin users) to read  the security object.
> Only admin users should be allowed to read the security object.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message