You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2017/10/25 23:21:59 UTC

[GitHub] bgehman opened a new issue #37: Broken security in 2.0.0 image

bgehman opened a new issue #37: Broken security in 2.0.0 image
URL: https://github.com/apache/couchdb-docker/issues/37
 
 
   <!--- Provide a general summary of the issue in the Title above -->
   
   ## Expected Behavior
   <!--- If you're describing a bug, tell us what should happen -->
   <!--- If you're suggesting a change/improvement, tell us how it should work -->
   Passing `COUCHDB_USER` and `COUCHDB_PASSWORD` environment variables should have a secure installation.
   
   ## Current Behavior
   <!--- If describing a bug, tell us what happens instead of the expected behavior -->
   <!--- If suggesting a change/improvement, explain the difference from current behavior -->
   Not secure.
   
   ## Possible Solution
   <!--- Not obligatory, but suggest a fix/reason for the bug, -->
   <!--- or ideas how to implement the addition or change -->
   Suspect the docker image doesn't pre-create the internal system tables needed for security.
   
   ## Steps to Reproduce (for bugs)
   <!--- Provide a link to a live example, or an unambiguous set of steps to -->
   <!--- reproduce this bug. Include code to reproduce, if relevant -->
   1. In a terminal, run: `$ docker run --rm -e COUCHDB_USER=admin -e COUCHDB_PASSWORD=password -p 5984:5984 klaemo/couchdb:2.0.0`
   2. In a second terminal, test the security:
   
       a. Good (correct userid/password is successfully authenticated):
       ```
       $ curl http://admin:password@localhost:5984
       {"couchdb":"Welcome","version":"2.0.0","vendor":{"name":"The Apache Software Foundation"}}
       ```
       b. Good (wrong userid/password does not authenticate -- as expected):
       ```
       $ curl http://admin:wrongpasswd@localhost:5984
       {"error":"unauthorized","reason":"Name or password is incorrect."}
       ```
       c. **Really Bad** (passing no credentials at all is authenticated successfully):
       ```
       $ curl http://localhost:5984 
       {"couchdb":"Welcome","version":"2.0.0","vendor":{"name":"The Apache Software Foundation"}}
       ```
   
   ## Context
   <!--- How has this issue affected you? What are you trying to accomplish? -->
   <!--- Providing context helps us come up with a solution that is most useful in the real world -->
   Would like to have a secure docker-image based on CouchDB 2.x
   
   ## Your Environment
   <!--- Include as many relevant details about the environment you experienced the bug in -->
   * Version used: 2.0.0
   * Browser Name and version: -na-
   * Operating System and version (desktop or mobile): -na-
   * Link to your project: -na-
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services