You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by "Ben Standefer (JIRA)" <ji...@apache.org> on 2018/01/29 07:20:00 UTC

[jira] [Commented] (COUCHDB-3100) require_valid_user is not working

    [ https://issues.apache.org/jira/browse/COUCHDB-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16342998#comment-16342998 ] 

Ben Standefer commented on COUCHDB-3100:
----------------------------------------

I just ran across this major. It's exacerbated by the fact that 2.0.0 docs are top on Google for "couchdb require_valid_user". IMO there should almost be more warnings or a retroactive correction to the 2.0.0 docs (vs. just fixing in the 2.1 docs). This could lead to major data breaches. Luckily for me it was just a project database with no data in it, but some people were able to create users while being anonymous, which was alarming.

More:

[https://www.pcworld.com/article/3159527/security/attackers-start-wiping-data-from-couchdb-and-hadoop-databases.html]

There are a few researcher tracking this kind of problem with CouchDB's wide-open permissions. From a user's perspective it makes no sense in 2018 to have permissions wide open as a default. default.ini should be as strict as possible and users should have to read through the docs to figure out how to open it up. For friendly dev intro purposes you could also ship a danger_no_security_at_all.ini that opens everything up wide open for toying around with.

> require_valid_user is not working
> ---------------------------------
>
>                 Key: COUCHDB-3100
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-3100
>             Project: CouchDB
>          Issue Type: Bug
>    Affects Versions: 2.0.0
>            Reporter: Tiago Pereira
>            Assignee: Joan Touzet
>            Priority: Major
>             Fix For: 2.1.0
>
>
> When the configuration "require_valid_user = true" is added to the local.ini, the server ignores it and the database is still kept public. This problem was replicated in klaemo's docker image 2.0-single and 2.0-rc3 .



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)