You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2022/05/09 20:16:11 UTC
[GitHub] [couchdb-pkg] alex-zywicki opened a new issue, #94: Fixes made for CVE-2022-24706 mitigation break automated installations
alex-zywicki opened a new issue, #94:
URL: https://github.com/apache/couchdb-pkg/issues/94
<!--- Provide a general summary of the issue in the Title above -->
Fixes made for CVE-2022-24706 mitigation break automated installations in #92 break automated installations.
## Expected Behavior
<!--- If you're describing a bug, tell us what should happen -->
<!--- If you're suggesting a change/improvement, tell us how it should work -->
Expected automated installations of couchdb@3.2.2 to work without user interaction.
## Current Behavior
<!--- If describing a bug, tell us what happens instead of the expected behavior -->
<!--- If suggesting a change/improvement, explain the difference from current behavior -->
Post-install scripts prompt for a `cookie` value.
## Possible Solution
<!--- Not obligatory, but suggest a fix/reason for the bug, -->
<!--- or ideas how to implement the addition or change -->
Instead of making the post install interactive it would be better to generate a random default cookie.
For Non-Cluster deployments doing this should work just fine.
For Clustered deployments the user would need to configure the cookie in some way to suit their needs. This would need to be included in the documentation most likely.
```bash
147 if %{__grep} -q "^-setcookie monster$" /opt/%{name}/etc/vm.args; then
148 echo "Please enter a cookie value for this installation: " >/dev/tty
149 if exec </dev/tty; then
150 read cookie;
151 fi
152 echo "Writing $cookie to vm.args..."
153 %{__sed} -i "s/^-setcookie monster.*$/-setcookie ${cookie}/" /opt/%{name}/etc/vm.args
154 elif %{__grep} -q "^[# ]*-setcookie$" /opt/%{name}/etc/vm.args; then
155 echo "Please enter a cookie value for this installation: " >/dev/tty
156 if exec </dev/tty; then
157 read cookie;
158 fi
159 echo "Writing $cookie to vm.args..."
160 %{__sed} -i "s/^[# ]*-setcookie.*$/-setcookie ${cookie}/" /opt/%{name}/etc/vm.args
161 fi
```
to read
```bash
# generate something as a suitably random default for non cluster configurations
148 cookie="$(echo $RANDOM | sha256sum | head -c 32)"
149 if %{__grep} -q "^-setcookie monster$" /opt/%{name}/etc/vm.args; then
150 %{__sed} -i "s/^-setcookie monster.*$/-setcookie ${cookie}/" /opt/%{name}/etc/vm.args
151 elif %{__grep} -q "^[# ]*-setcookie$" /opt/%{name}/etc/vm.args; then
152 %{__sed} -i "s/^[# ]*-setcookie.*$/-setcookie ${cookie}/" /opt/%{name}/etc/vm.args
153 fi
```
## Steps to Reproduce (for bugs)
<!--- Provide a link to a live example, or an unambiguous set of steps to -->
<!--- reproduce this bug. Include code to reproduce, if relevant -->
1. `yum install couchdb@3.2.2`
## Context
<!--- How has this issue affected you? What are you trying to accomplish? -->
<!--- Providing context helps us come up with a solution that is most useful in the real world -->
The company I work for uses CouchDB as its primary database for several of its dedicated server based products.
We provide out customer with an iso that includes CouchDB. In order to build these isos we need to be able to install couchdb in an automated manor. The changes made to the post-install scripts provided here make the install process unable to be fully automated.
## Your Environment
<!--- Include as many relevant details about the environment you experienced the bug in -->
* Version used: 3.2.2
* Browser Name and version: N/A
* Operating System and version (desktop or mobile): RHEL7 Server, RHEL8 Server, CENTOS7 Server, ROCKY8 Server
* Link to your project: https://asti-usa.com/voisus/index.html
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb-pkg] nickva commented on issue #94: Fixes made for CVE-2022-24706 mitigation break automated installations
Posted by GitBox <gi...@apache.org>.
nickva commented on issue #94:
URL: https://github.com/apache/couchdb-pkg/issues/94#issuecomment-1130041991
@alex-zywicki I uploaded the RPMs to artifactory and they should be available immediately.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb-pkg] nickva commented on issue #94: Fixes made for CVE-2022-24706 mitigation break automated installations
Posted by GitBox <gi...@apache.org>.
nickva commented on issue #94:
URL: https://github.com/apache/couchdb-pkg/issues/94#issuecomment-1125493207
@alex-zywicki
I think both a random initial value and the possibility to override with the environment var might work. For the standalone setup, the random value would work best, and for a cluster setup users can set a common cookie at RPM install time.
> Also keep in mind that this will also break your debian installs as well as you implemented what looks to be similar changes for debian.
For Debian things are a bit simpler. There, users may pre-configure standalone/cluster mode and populate the config values ahead of time: https://github.com/apache/couchdb-pkg/blob/daf1f622e273f78c5686fbdc7b8a5cb021b33216/debian/README.Debian#L59-L70
> Ideally I would see the generation of a default random value moved out of the postinstall process and have it be part of the couch startup process where couch would just pick a value if none is configured and have the postinstall. That would keep the postinstall nice and clean rather than patching things up like it is now.
I agree. I think this would work much nicer, or if it worked with the config system, where it can be set and overridden in the `default.d/*.ini` or `local.d/*.ini`.
Cookie values impact how the Erlang VM starts up. As soon as the VM starts it will auto-connect to other nodes. So setting the cookie later might be problematic (Though, I think there are now options to prevent auto-connection, so we could read and apply cookie values before enabling distribution). That behavior change would won't affect your standalone deployment, but would affect clustered deployments, so may need some extra thought.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb-pkg] alex-zywicki commented on issue #94: Fixes made for CVE-2022-24706 mitigation break automated installations
Posted by GitBox <gi...@apache.org>.
alex-zywicki commented on issue #94:
URL: https://github.com/apache/couchdb-pkg/issues/94#issuecomment-1121577306
@nickva You will most likely be hearing from Mike H soon, I told him to give you a hard time.
I think an environment variable would be a reasonable thing in addition to the randomly generated value, but I don't think it is enough on it's own.
For a single instance configuration I would expect the installation to just work with no input. And for clustered systems you're already doing a bunch of config so it shouldn't be much of a burden to configure the cookie as needed so long as the documentation is good.
Also keep in mind that this will also break your debian installs as well as you implemented what looks to be similar changes for debian.
Ideally I would see the generation of a default random value moved out of the postinstall process and have it be part of the couch startup process where couch would just pick a value if none is configured and have the postinstall. That would keep the postinstall nice and clean rather than patching things up like it is now.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb-pkg] nickva commented on issue #94: Fixes made for CVE-2022-24706 mitigation break automated installations
Posted by GitBox <gi...@apache.org>.
nickva commented on issue #94:
URL: https://github.com/apache/couchdb-pkg/issues/94#issuecomment-1128093839
Thanks for taking a look. I also checked SUSE 12SP4 and 15, both are > bash 4.2. That's the only other distro I saw mentioned in our RPM support docs.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb-pkg] nickva closed issue #94: Fixes made for CVE-2022-24706 mitigation break automated installations
Posted by GitBox <gi...@apache.org>.
nickva closed issue #94: Fixes made for CVE-2022-24706 mitigation break automated installations
URL: https://github.com/apache/couchdb-pkg/issues/94
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb-pkg] nickva commented on issue #94: Fixes made for CVE-2022-24706 mitigation break automated installations
Posted by GitBox <gi...@apache.org>.
nickva commented on issue #94:
URL: https://github.com/apache/couchdb-pkg/issues/94#issuecomment-1127892993
@alex-zywicki how about something like this https://github.com/apache/couchdb-pkg/pull/95 ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb-pkg] alex-zywicki commented on issue #94: Fixes made for CVE-2022-24706 mitigation break automated installations
Posted by GitBox <gi...@apache.org>.
alex-zywicki commented on issue #94:
URL: https://github.com/apache/couchdb-pkg/issues/94#issuecomment-1128068697
> @alex-zywicki how about something like this #95 ?
I think that looks fine. As far as I know both RHEL7 and RHEL8 run bash 4.2+ so the `-v` should be fine. But I cannot speak for all distros that use rpm.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb-pkg] nickva commented on issue #94: Fixes made for CVE-2022-24706 mitigation break automated installations
Posted by GitBox <gi...@apache.org>.
nickva commented on issue #94:
URL: https://github.com/apache/couchdb-pkg/issues/94#issuecomment-1129923536
The fix merged. I will upload the new rpms later today
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb-pkg] nickva commented on issue #94: Fixes made for CVE-2022-24706 mitigation break automated installations
Posted by GitBox <gi...@apache.org>.
nickva commented on issue #94:
URL: https://github.com/apache/couchdb-pkg/issues/94#issuecomment-1121568336
@alex-zywicki thanks for your report. I agree, generating a random one might be better. We've done that for the MacOS install, I believe. Another alternative could be passing it in as an environment variable. So something like `COUCHD_COOKIE=123abc... yum install`, wonder if that would work? (Hopefully `yum` / `dnf` don't clear the environment variables).
> The company I work for uses CouchDB as its primary database for several of its dedicated server based products.
Say "Hi" to everyone from me! It was my fault for introducing CouchDB at ASTi! Also, sorry for breaking the install 🤣
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org