Your message dated Wed, 29 Nov 2023 17:14:02 +0100
with message-id <[email protected]>
and subject line Re: Bug#1057077: rabbitmq-server: .erlang.cookie overwritten
if 20 uppercase characters
has caused the Debian Bug report #1057077,
regarding rabbitmq-server: .erlang.cookie overwritten if 20 uppercase characters
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1057077: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057077
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rabbitmq-server
Version: 3.10.8-3
Severity: normal
Dear Maintainer,
The postinst script will overwrite the `/var/lib/rabbitmq/.erlang.cookie`
file if it contains exactly 20 uppercase characters.
```
if grep -q -E '^[A-Z]{20}$' /var/lib/rabbitmq/.erlang.cookie ; then
OLD_UMASK=$(umask)
umask 077; openssl rand -base64 -out /var/lib/rabbitmq/.erlang.cookie 42
umask ${OLD_UMASK}
if [ ""$(ps --no-headers -o comm 1) = "systemd" ] ; then
if systemctl is-active --quiet rabbitmq-server.service ; then
systemctl restart rabbitmq-server.service
fi
fi
fi
```
The rabbitmq-server service failed to start on one of our nodes in our
cluster after the package was upgraded as the nodes in our cluster
happen to share a .erlang.cookie that match this condition.
This is a dangerous approach which the package should not enforce. If
20 uppercase characters is seen as insecure then the package should
instead inform the user of it and not simply overwriting the file.
This is bug report was requested by the Ubuntu package maintainers when
I filed a bug report on their tracker [1] as they use this source
package as their upstream.
[1] https://bugs.launchpad.net/ubuntu/+source/rabbitmq-server/+bug/2044248
--- End Message ---
--- Begin Message ---
On 11/29/23 11:14, Markus Rexhepi-Lindberg wrote:
Source: rabbitmq-server
Version: 3.10.8-3
Severity: normal
Dear Maintainer,
The postinst script will overwrite the `/var/lib/rabbitmq/.erlang.cookie`
file if it contains exactly 20 uppercase characters.
```
if grep -q -E '^[A-Z]{20}$' /var/lib/rabbitmq/.erlang.cookie ; then
OLD_UMASK=$(umask)
umask 077; openssl rand -base64 -out /var/lib/rabbitmq/.erlang.cookie 42
umask ${OLD_UMASK}
if [ ""$(ps --no-headers -o comm 1) = "systemd" ] ; then
if systemctl is-active --quiet rabbitmq-server.service ; then
systemctl restart rabbitmq-server.service
fi
fi
fi
```
Hi,
I'm well aware of this, this was a security measure written to counter
the fact that rabbit had a weak .erlang.cookie by default that was easy
to brute-force (if I remember well).
You've probably noticed that the script checks if the cookie is made of
20 uppercase letters only. That's probably your case because you've been
using the cookie generated by rabbitmq-server itself. Meaning that
you're probably also affected by the weakness. I strongly suggest that
you get away from such a setup.
This will therefore *NOT* be removed from the package. I'm sorry, but
you'll have to adapt and fix your setup (and set a erlang cookie of
different size, and I suggest, a stronger one, with more entropy).
I'm therefore closing this bug, which is IMO a false positive.
Cheers,
Thomas Goirand (zigo)
--- End Message ---
