[
https://issues.apache.org/jira/browse/COUCHDB-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16342998#comment-16342998
]
Ben Standefer commented on COUCHDB-3100:
----------------------------------------
I just ran across this major. It's exacerbated by the fact that 2.0.0 docs are
top on Google for "couchdb require_valid_user". IMO there should almost be more
warnings or a retroactive correction to the 2.0.0 docs (vs. just fixing in the
2.1 docs). This could lead to major data breaches. Luckily for me it was just a
project database with no data in it, but some people were able to create users
while being anonymous, which was alarming.
More:
[https://www.pcworld.com/article/3159527/security/attackers-start-wiping-data-from-couchdb-and-hadoop-databases.html]
There are a few researcher tracking this kind of problem with CouchDB's
wide-open permissions. From a user's perspective it makes no sense in 2018 to
have permissions wide open as a default. default.ini should be as strict as
possible and users should have to read through the docs to figure out how to
open it up. For friendly dev intro purposes you could also ship a
danger_no_security_at_all.ini that opens everything up wide open for toying
around with.
> require_valid_user is not working
> ---------------------------------
>
> Key: COUCHDB-3100
> URL: https://issues.apache.org/jira/browse/COUCHDB-3100
> Project: CouchDB
> Issue Type: Bug
> Affects Versions: 2.0.0
> Reporter: Tiago Pereira
> Assignee: Joan Touzet
> Priority: Major
> Fix For: 2.1.0
>
>
> When the configuration "require_valid_user = true" is added to the local.ini,
> the server ignores it and the database is still kept public. This problem was
> replicated in klaemo's docker image 2.0-single and 2.0-rc3 .
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
