couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <...@apache.org>
Subject Remove runtime configurability of core system components PR #1602
Date Sun, 16 Sep 2018 19:21:41 GMT
Hi all,

I’d like to bring to your attention a PR that makes big changes to a rarely used feature
of CouchDB: runtime configurability of core CouchDB services.

    https://github.com/apache/couchdb/pull/1602
    (See the PR text for way more details)

In the 1.x era of CouchDB, many parts of the core systems were managed via the config system.
This is mostly due to in the early days, no good standard patterns for what Erlang apps looked
like were obvious to the folks working on CouchDB. This has changed now, and CouchDB has been
switched to a more traditional module layout, as well as static configuration of components
for the most part. This is merely closing the final gap.

Being able to change core parts of the database, including what code modules to load when
and where, and which OS binaries to run when and where, opened us up to a set of security
vulnerabilities, that we want to close once and for all with this PR by no longer allowing
runtime configuration of core system parts:

- http://docs.couchdb.org/en/stable/cve/2017-12635.html
- http://docs.couchdb.org/en/stable/cve/2017-12636.html
- http://docs.couchdb.org/en/stable/cve/2018-11769.html
- http://docs.couchdb.org/en/stable/cve/2018-8007.html

The affected core parts are:

- daemons
- httpd] default_handler
- httpd_global_handlers
- httpd_db_handlers
- httpd_design_handlers
- vhost_global_handlers
- redirect_vhost_handler
- os_daemons
- query_servers
- native_query_servers

This patch retains the ability to configure an existing CouchDB installation to, say, add
a third party query server, but it’ll require console access to the server and restarting
CouchDB from said console.

* * *

This email acts as a heads-up to get as many folks as possible reviewing this PR, and to comply
with our bylaws to notify dev@ when removing features (h/t Joan).

* * *

In the process of implementing the PR, I had to drop the (deprecated in 2.2.0) os daemons
feature. I’d be okay with keeping the feature in, if someone else would put in the time
to work out how to fix its tests given the new realities of the larger patch, but given we
were going to remove it anyway, now is a good a time as any. If you are interested in working
on restoring this prior to the next CouchDB release, this is a good starting point: https://github.com/apache/couchdb/pull/1602/commits/082c7164598819f757b87f976e4e762db427c508#diff-f680a9d4d1d4621a9b0858b353df7f8aR287
— All it needs is fixing up tests to not rely on runtime configuration.

* * *

I hope this closes a big class of potential security issues for us going forward.

Best
Jan
—


Mime
View raw message