Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent modification of /_users/_security object with opt-out ini file setting #1558

Open
wohali opened this issue Aug 14, 2018 · 7 comments

Comments

@wohali
Copy link
Member

wohali commented Aug 14, 2018

Expected Behavior

Modifying the _security object inside of _users is unsupported, and can lead to some unusual behaviour - see #1556.

Current Behavior

We allow people to shoot themselves in the foot by modifying _users/_security.

Possible Solution

Always return a 403 on write attempts for _users/_security. @rnewson do you have any comment on this?

Steps to Reproduce (for bugs)

  1. dev/run -n 1 --with-admin-party-please
  2. `curl -X PUT http:https://localhost:15984/_users/_security -d '{"foo": "bar"}'

Context

People are trying to change the rules for who can read/write documents in _users and it goes very badly.

Your Environment

  • Version used: 2.2.0
@rnewson
Copy link
Member

rnewson commented Aug 14, 2018

It's a difficult thing to remove at this late stage, though I agree with the proposal.

Should we fold this into the broader push to hide these databases behind an API that enforces only the semantics we wish?

@wohali
Copy link
Member Author

wohali commented Aug 14, 2018

@rnewson If a naive block is a problem for 2.x, we can just say this is backwards-incompatible and fold it into #1504 if you want, sure. I just thought maybe a 2.3 that blocked _users/_security writes wouldn't be too hard to implement, and shouldn't affect TOO many people...

@rnewson
Copy link
Member

rnewson commented Aug 14, 2018

It's hard to know how many have changed the security object of _users. Those that have done so and not encountered a problem will be broken by this change; those that have encountered a problem will have had to reverse their change already.

I think we should save the breakingchangeness until we present a full replacement for this; the API that sits in front of this database and only permits what it ought to.

@wohali
Copy link
Member Author

wohali commented Aug 14, 2018

+1, let's leave this unti #1504. I'll close this for now.

@wohali wohali closed this as completed Aug 14, 2018
@janl
Copy link
Member

janl commented Aug 14, 2018

Alternatively, like we've done with default db security and making _all_dbs an opt-in config value could help folks until we have a proper fix.

@rnewson
Copy link
Member

rnewson commented Aug 14, 2018

yes, I can see that. [couchdb] users_db_security_editable=false|true or something, defaulting to false in the new default.ini

@wohali
Copy link
Member Author

wohali commented Aug 14, 2018

If we're OK with that alternative for 2.x, I'll re-open this.

@wohali wohali reopened this Aug 14, 2018
@wohali wohali changed the title Prevent modification of /_users/_security object Prevent modification of /_users/_security object with opt-out ini file setting Aug 14, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants