Return-Path: X-Original-To: apmail-couchdb-dev-archive@www.apache.org Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 8CC6410F78 for ; Sat, 3 Aug 2013 17:39:51 +0000 (UTC) Received: (qmail 91731 invoked by uid 500); 3 Aug 2013 17:39:50 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 91571 invoked by uid 500); 3 Aug 2013 17:39:50 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 91548 invoked by uid 99); 3 Aug 2013 17:39:49 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 03 Aug 2013 17:39:49 +0000 Date: Sat, 3 Aug 2013 17:39:49 +0000 (UTC) From: "Jan Lehnardt (JIRA)" To: dev@couchdb.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (COUCHDB-1838) Specifying public_fields parameter discloses all user docs MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/COUCHDB-1838?page=3Dcom.atlassi= an.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D13= 728605#comment-13728605 ]=20 Jan Lehnardt commented on COUCHDB-1838: --------------------------------------- I think the current behaviour is correct enough to ship in 1.4.0 with a big= fat warning around public_fields as it alters the semantics of _users sign= ificantly. However if it is disabled by default and consciously enabled, I = think that=E2=80=99s a fair trade-off a CouchDB admin can make. I don=E2=80=99t think a solution that opens all docs on _all_docs is going = to be a very good idea. If anything, we could store a flag in the by-id & b= y-sew indexes (that decides whether a docs has public properties, and thus = can be included. But I think this is hairy enough to ignore for now and not= thing through all too properly. =20 > Specifying public_fields parameter discloses all user docs > ---------------------------------------------------------- > > Key: COUCHDB-1838 > URL: https://issues.apache.org/jira/browse/COUCHDB-1838 > Project: CouchDB > Issue Type: Bug > Reporter: Alexander Shorin > Priority: Blocker > Fix For: 1.4 > > > When public_fields are specified it's possible to retrieve all available = user docs, no matter does they contains specified public fields or not. > 0. Setup some users: > {code} > curl -X PUT http://localhost:5984/_users/org.couchdb.user:abc -d '{"name"= :"abc", "roles":[], "type":"user", "password": "cba"}' -H "Content-Type: a= pplication/json" =20 > curl -X PUT http://localhost:5984/_users/org.couchdb.user:def -d '{"name"= :"def", "roles":[], "type":"user", "password": "fed"}' -H "Content-Type: a= pplication/json"=20 > {code} > 1. Check the old behavior without public_fields: > {code} > curl -v http://abc:cba@localhost:5984/_users/_all_docs > HTTP/1.1 403 Forbidden > Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B) > Date: Fri, 21 Jun 2013 23:12:13 GMT > Content-Type: text/plain; charset=3Dutf-8 > Content-Length: 87 > Cache-Control: must-revalidate > {"error":"forbidden","reason":"Only admins can access _all_docs of system= databases."} > {code} > 2. Specify some public fields that no one actually has: > {code} > curl -X PUT http://localhost:5984/_config/couch_httpd_auth/public_fields = -d '"no_user_will_never_has_ziz_field_in_his_doc"' -H "Content-Type: applic= ation/json" --user couch_admin > {code} > 3. Try step 1 one more time: > {code} > curl -v http://abc:cba@localhost:5984/_users/_all_docs > HTTP/1.1 200 OK > Transfer-Encoding: chunked > Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B) > ETag: "55N0CA8VM2Z0DQO85L1PM20XS" > Date: Fri, 21 Jun 2013 23:15:05 GMT > Content-Type: text/plain; charset=3Dutf-8 > Cache-Control: must-revalidate > {"total_rows":6,"offset":0,"rows":[ > {"id":"_design/_auth","key":"_design/_auth","value":{"rev":"1-619db7ba855= 1c0de3f3a178775509611"}}, > {"id":"org.couchdb.user:abc","key":"org.couchdb.user:abc","value":{"rev":= "1-64d299987b4df59c048171a8ab8ba951"}}, > {"id":"org.couchdb.user:def","key":"org.couchdb.user:def","value":{"rev":= "1-479a3e8a66652838706cc49544730a34"}}, > {"id":"org.couchdb.user:foo","key":"org.couchdb.user:foo","value":{"rev":= "1-3859ee3742314dcb4b4f1ffaba398c91"}}, > {"id":"org.couchdb.user:mia","key":"org.couchdb.user:mia","value":{"rev":= "1-f87f5003323e705d8c7a533cdd0a267c"}}, > {"id":"org.couchdb.user:root","key":"org.couchdb.user:root","value":{"rev= ":"1-f43dadbe5e780f392a6bd283686b3704"}} > ]} > {code} > Same for anonymous user: > {code} > curl -v http://localhost:5984/_users/_all_docs > HTTP/1.1 200 OK > Transfer-Encoding: chunked > Server: CouchDB/1.4.0+build.8d7ab8b (Erlang OTP/R16B) > ETag: "55N0CA8VM2Z0DQO85L1PM20XS" > Date: Sat, 22 Jun 2013 00:04:17 GMT > Content-Type: text/plain; charset=3Dutf-8 > Cache-Control: must-revalidate > {"total_rows":6,"offset":0,"rows":[ > {"id":"_design/_auth","key":"_design/_auth","value":{"rev":"1-619db7ba855= 1c0de3f3a178775509611"}}, > {"id":"org.couchdb.user:abc","key":"org.couchdb.user:abc","value":{"rev":= "1-64d299987b4df59c048171a8ab8ba951"}}, > {"id":"org.couchdb.user:def","key":"org.couchdb.user:def","value":{"rev":= "1-479a3e8a66652838706cc49544730a34"}}, > {"id":"org.couchdb.user:foo","key":"org.couchdb.user:foo","value":{"rev":= "1-3859ee3742314dcb4b4f1ffaba398c91"}}, > {"id":"org.couchdb.user:mia","key":"org.couchdb.user:mia","value":{"rev":= "1-f87f5003323e705d8c7a533cdd0a267c"}}, > {"id":"org.couchdb.user:root","key":"org.couchdb.user:root","value":{"rev= ":"1-f43dadbe5e780f392a6bd283686b3704"}} > ]} > {code} > The problem is that with specified public_fields it's possible to retriev= e all user's names no matter has their public field or not. This behaviour = a bit violates implemented [System Database Security|https://git-wip-us.apa= che.org/repos/asf?p=3Dcouchdb.git;a=3Dcommit;h=3De5503ff]: > [CouchDB 1.2.0 release notes|https://blogs.apache.org/couchdb/entry/apach= e_couchdb_1_2_0]: > {quote} > Documents in the _users database can no longer be read by everyone > Documents in the _users databases can now only be read by the respective = authenticated user and administrators. Before, all docs were world-readable= including their password hashes and salts. > {quote} > [Security Features Overview|http://wiki.apache.org/couchdb/Security_Featu= res_Overview#Authentication%20database]: > {quote} > In addition, the _users database is now treated different from other data= bases: > An anonymous user can only create a new document. > An authenticated user can only update their own document. > A server or database admin can access and update all documents. > Only server or database admins can create design documents and access= views and _all_docs and _changes.=20 > {quote} > Expected behaviour when `public_fields` specified: > `_all_docs` should returns only those user docs, that are actually contai= ns public fields. Users that has no such fields has nothing to publish. If = user doc has public fields it shouldn't be mentioned in `_all_docs` respons= e. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrato= rs For more information on JIRA, see: http://www.atlassian.com/software/jira