diff options
author | Robert Newson <rnewson@apache.org> | 2022-04-02 01:12:10 -0400 |
---|---|---|
committer | Nick Vatamaniuc <vatamane@apache.org> | 2022-04-05 23:28:24 -0400 |
commit | c4e811ecf97d5796145b60f3b99a84abcec56ebf (patch) | |
tree | a52bfec243714603f99552ff3276590808734052 | |
parent | 244d428afe01a746b012f3dc4ec4865935ea8ad3 (diff) | |
download | couchdb-c4e811ecf97d5796145b60f3b99a84abcec56ebf.tar.gz |
Remove the default "monster" cookie
-rwxr-xr-x | dev/remsh | 3 | ||||
-rwxr-xr-x | dev/remsh-tls | 3 | ||||
-rwxr-xr-x | rel/overlay/bin/remsh | 8 | ||||
-rw-r--r-- | rel/overlay/etc/vm.args | 5 | ||||
-rw-r--r-- | src/couch/src/couch_sup.erl | 20 |
5 files changed, 30 insertions, 9 deletions
@@ -25,5 +25,4 @@ fi NAME="remsh$$@$HOST" NODE="node$NODE@$HOST" -COOKIE=monster -erl -name $NAME -remsh $NODE -setcookie $COOKIE -hidden +erl -name $NAME -remsh $NODE -hidden diff --git a/dev/remsh-tls b/dev/remsh-tls index 603317d72..089db669f 100755 --- a/dev/remsh-tls +++ b/dev/remsh-tls @@ -25,6 +25,5 @@ fi NAME="remsh$$@$HOST" NODE="node$NODE@$HOST" -COOKIE=monster rootdir="$(cd "${0%/*}" 2>/dev/null; echo "$PWD")" -erl -name $NAME -remsh $NODE -setcookie $COOKIE -hidden -proto_dist inet_tls -ssl_dist_optfile "${rootdir}/couch_ssl_dist.conf" +erl -name $NAME -remsh $NODE -hidden -proto_dist inet_tls -ssl_dist_optfile "${rootdir}/couch_ssl_dist.conf" diff --git a/rel/overlay/bin/remsh b/rel/overlay/bin/remsh index 3f59bcb21..de37d6cc2 100755 --- a/rel/overlay/bin/remsh +++ b/rel/overlay/bin/remsh @@ -55,11 +55,10 @@ if test -f "$ARGS_FILE"; then ARGS_FILE_COOKIE=$(awk '$1=="-setcookie"{print $2}' "$ARGS_FILE") COOKIE="${COOKIE:-$ARGS_FILE_COOKIE}" fi -COOKIE="${COOKIE:-monster}" printHelpAndExit() { echo "Usage: ${PROGNAME} [OPTION]... [-- <additional Erlang cli options>]" - echo " -c cookie specify shared Erlang cookie (default: monster)" + echo " -c cookie specify shared Erlang cookie" echo " -l HOST specify remsh's host name (default: 127.0.0.1)" echo " -m use output of \`hostname -f\` as remsh's host name" echo " -n NAME@HOST specify couchdb's Erlang node name (-name in vm.args)" @@ -114,6 +113,11 @@ fi # to avoid conflicts with the cli parameters ERL_FLAGS_CLEAN=$(echo "$ERL_FLAGS" | sed 's/-setcookie \([^ ][^ ]*\)//g' | sed 's/-name \([^ ][^ ]*\)//g') +if [ -z "${COOKIE}" ]; then + echo "No Erlang cookie could be found, please specify with -c" >&2 + exit 1 +fi + if [ -z "$TLSCONF" ]; then exec env ERL_FLAGS="$ERL_FLAGS_CLEAN" "$BINDIR/erl" -boot "$ROOTDIR/releases/$APP_VSN/start_clean" \ -name remsh$$@$LHOST -remsh $NODE -hidden -setcookie $COOKIE \ diff --git a/rel/overlay/etc/vm.args b/rel/overlay/etc/vm.args index 805e9ec22..4971627c9 100644 --- a/rel/overlay/etc/vm.args +++ b/rel/overlay/etc/vm.args @@ -38,9 +38,8 @@ {{node_name}} # All nodes must share the same magic cookie for distributed Erlang to work. -# Comment out this line if you synchronized the cookies by other means (using -# the ~/.erlang.cookie file, for example). --setcookie monster +# Uncomment the following line and append a securely generated random value. +# -setcookie # Tell kernel and SASL not to log anything -kernel error_logger silent diff --git a/src/couch/src/couch_sup.erl b/src/couch/src/couch_sup.erl index b936c1e5d..85400a39a 100644 --- a/src/couch/src/couch_sup.erl +++ b/src/couch/src/couch_sup.erl @@ -28,6 +28,7 @@ start_link() -> + assert_no_monsters(), assert_admins(), maybe_launch_admin_annoyance_reporter(), write_pidfile(), @@ -87,6 +88,25 @@ handle_config_change(_, _, _, _, _) -> handle_config_terminate(_Server, _Reason, _State) -> ok. +assert_no_monsters() -> + couch_log:info("Preflight check: Checking For Monsters~n", []), + case erlang:get_cookie() of + monster -> + couch_log:info( + "~n%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%~n" ++ + " Monster detected ohno!, aborting startup. ~n" ++ + " Please change the Erlang cookie in vm.args to the same ~n" ++ + " securely generated random value on all nodes of this cluster. ~n" ++ + "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%~n", + [] + ), + % Wait a second so the log message can make it to the log + timer:sleep(500), + erlang:halt(1); + _ -> + ok + end. + assert_admins() -> couch_log:info("Preflight check: Asserting Admin Account~n", []), case {config:get("admins"), os:getenv("COUCHDB_TEST_ADMIN_PARTY_OVERRIDE")} of |