Hi all,
I’d like to bring to your attention a PR that makes big changes to a rarely
used feature of CouchDB: runtime configurability of core CouchDB services.
https://github.com/apache/couchdb/pull/1602
(See the PR text for way more details)
In the 1.x era of CouchDB, many parts of the core systems were managed via the
config system. This is mostly due to in the early days, no good standard
patterns for what Erlang apps looked like were obvious to the folks working on
CouchDB. This has changed now, and CouchDB has been switched to a more
traditional module layout, as well as static configuration of components for
the most part. This is merely closing the final gap.
Being able to change core parts of the database, including what code modules to
load when and where, and which OS binaries to run when and where, opened us up
to a set of security vulnerabilities, that we want to close once and for all
with this PR by no longer allowing runtime configuration of core system parts:
- http://docs.couchdb.org/en/stable/cve/2017-12635.html
- http://docs.couchdb.org/en/stable/cve/2017-12636.html
- http://docs.couchdb.org/en/stable/cve/2018-11769.html
- http://docs.couchdb.org/en/stable/cve/2018-8007.html
The affected core parts are:
- daemons
- httpd] default_handler
- httpd_global_handlers
- httpd_db_handlers
- httpd_design_handlers
- vhost_global_handlers
- redirect_vhost_handler
- os_daemons
- query_servers
- native_query_servers
This patch retains the ability to configure an existing CouchDB installation
to, say, add a third party query server, but it’ll require console access to
the server and restarting CouchDB from said console.
* * *
This email acts as a heads-up to get as many folks as possible reviewing this
PR, and to comply with our bylaws to notify dev@ when removing features (h/t
Joan).
* * *
In the process of implementing the PR, I had to drop the (deprecated in 2.2.0)
os daemons feature. I’d be okay with keeping the feature in, if someone else
would put in the time to work out how to fix its tests given the new realities
of the larger patch, but given we were going to remove it anyway, now is a good
a time as any. If you are interested in working on restoring this prior to the
next CouchDB release, this is a good starting point:
https://github.com/apache/couchdb/pull/1602/commits/082c7164598819f757b87f976e4e762db427c508#diff-f680a9d4d1d4621a9b0858b353df7f8aR287
— All it needs is fixing up tests to not rely on runtime configuration.
* * *
I hope this closes a big class of potential security issues for us going
forward.
Best
Jan
—
