Thanks for bringing this to the mailing list. I quickly skimmed the
feature and I agree with you that having an arbitrary command executed
could be dangerous. However, this is a 12 year old feature and so am
guessing there are people using it.

As far as locking down the feature, I don't think it is feasible to
lock it down as it allows execution of arbitrary scripts.

Dinesh

On Fri, Aug 30, 2024 at 9:14 AM guo Maxwell <cclive1...@gmail.com> wrote:
>
>     Commitlog has the ability of archive  log file, see 
> CommitLogArchiver.java,  we can achieve the purpose of archive and restore 
> commitlog by configuring archive_command and restore_command in 
> commitlog_archiving.properties.The archive_command and restore_command can be 
> some linux/unix shell command.  However, I found that the shell command can 
> actually be filled with any script, even if "rm -rf" .I have tested this 
> situation and it finally succeeded with my test file being deleted.
>
>     Personally, I think it is a dangerous behavior, because if there are no 
> system-level restrictions and users are allowed to do anything in these shell 
> commands. So here I want to discuss with you whether it is necessary to 
> impose any restrictions on use, or do we need a new way of 
> archiving/restoring commitlog?
>
> Of course, before that, I would also like to ask, how many people are using 
> archive and restore of commitlog? It seems that the commitlog archive code 
> has not been updated for a long time.
>
> I have two ideas.
> One is to make some restrictions on the command context based on the existing 
> usage methods, such as strictly only allowing the current cp/mv/ln %path to 
> %name.Other redundant strings in the command are not allowed.
> Another one , As I roughly investigated the archive of mysql and pg. They do 
> not give users too much space (I am talking about letting users define their 
> own archiving command ), and archive directly to a designated location. For 
> us, I feel that we can refer to c * Incremental backup of sstable,  add a 
> hardlink to the commitlog to the specified location, but this place may 
> modify the original configuration method, such as setting the archive 
> location and restoring location of the node through nodetool and deprecate 
> the  commitlog_archiving.properties configuration.
>
> I am just putting forward some views  here, and looking forward to your 
> feedback. 😀
>

Reply via email to