You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by Jan Lehnardt <ja...@apache.org> on 2018/09/16 19:21:41 UTC

Remove runtime configurability of core system components PR #1602

Hi all,

I’d like to bring to your attention a PR that makes big changes to a rarely used feature of CouchDB: runtime configurability of core CouchDB services.

    https://github.com/apache/couchdb/pull/1602
    (See the PR text for way more details)

In the 1.x era of CouchDB, many parts of the core systems were managed via the config system. This is mostly due to in the early days, no good standard patterns for what Erlang apps looked like were obvious to the folks working on CouchDB. This has changed now, and CouchDB has been switched to a more traditional module layout, as well as static configuration of components for the most part. This is merely closing the final gap.

Being able to change core parts of the database, including what code modules to load when and where, and which OS binaries to run when and where, opened us up to a set of security vulnerabilities, that we want to close once and for all with this PR by no longer allowing runtime configuration of core system parts:

- http://docs.couchdb.org/en/stable/cve/2017-12635.html
- http://docs.couchdb.org/en/stable/cve/2017-12636.html
- http://docs.couchdb.org/en/stable/cve/2018-11769.html
- http://docs.couchdb.org/en/stable/cve/2018-8007.html

The affected core parts are:

- daemons
- httpd] default_handler
- httpd_global_handlers
- httpd_db_handlers
- httpd_design_handlers
- vhost_global_handlers
- redirect_vhost_handler
- os_daemons
- query_servers
- native_query_servers

This patch retains the ability to configure an existing CouchDB installation to, say, add a third party query server, but it’ll require console access to the server and restarting CouchDB from said console.

* * *

This email acts as a heads-up to get as many folks as possible reviewing this PR, and to comply with our bylaws to notify dev@ when removing features (h/t Joan).

* * *

In the process of implementing the PR, I had to drop the (deprecated in 2.2.0) os daemons feature. I’d be okay with keeping the feature in, if someone else would put in the time to work out how to fix its tests given the new realities of the larger patch, but given we were going to remove it anyway, now is a good a time as any. If you are interested in working on restoring this prior to the next CouchDB release, this is a good starting point: https://github.com/apache/couchdb/pull/1602/commits/082c7164598819f757b87f976e4e762db427c508#diff-f680a9d4d1d4621a9b0858b353df7f8aR287 — All it needs is fixing up tests to not rely on runtime configuration.

* * *

I hope this closes a big class of potential security issues for us going forward.

Best
Jan
—