diff options
author | Robert Newson <rnewson@apache.org> | 2022-04-02 01:12:10 -0400 |
---|---|---|
committer | Nick Vatamaniuc <nickva@users.noreply.github.com> | 2022-04-26 19:19:57 -0400 |
commit | 2276bc631da24fe9a034180c39e4baa0d6da80d8 (patch) | |
tree | ca855c2b1cd3975cd3531050ce73ab23f563993a | |
parent | 2f6d5096d2dee97b1cf45c9cb314752a8d0ee11f (diff) | |
download | couchdb-2276bc631da24fe9a034180c39e4baa0d6da80d8.tar.gz |
Remove the default "monster" cookie
-rwxr-xr-x | dev/remsh | 3 | ||||
-rwxr-xr-x | dev/remsh-tls | 3 | ||||
-rwxr-xr-x | rel/overlay/bin/remsh | 8 | ||||
-rw-r--r-- | rel/overlay/etc/vm.args | 5 | ||||
-rw-r--r-- | src/couch/src/couch_sup.erl | 20 |
5 files changed, 30 insertions, 9 deletions
@@ -25,5 +25,4 @@ fi NAME="remsh$$@$HOST" NODE="node$NODE@$HOST" -COOKIE=monster -erl -name $NAME -remsh $NODE -setcookie $COOKIE -hidden +erl -name $NAME -remsh $NODE -hidden diff --git a/dev/remsh-tls b/dev/remsh-tls index 603317d72..089db669f 100755 --- a/dev/remsh-tls +++ b/dev/remsh-tls @@ -25,6 +25,5 @@ fi NAME="remsh$$@$HOST" NODE="node$NODE@$HOST" -COOKIE=monster rootdir="$(cd "${0%/*}" 2>/dev/null; echo "$PWD")" -erl -name $NAME -remsh $NODE -setcookie $COOKIE -hidden -proto_dist inet_tls -ssl_dist_optfile "${rootdir}/couch_ssl_dist.conf" +erl -name $NAME -remsh $NODE -hidden -proto_dist inet_tls -ssl_dist_optfile "${rootdir}/couch_ssl_dist.conf" diff --git a/rel/overlay/bin/remsh b/rel/overlay/bin/remsh index 3f59bcb21..de37d6cc2 100755 --- a/rel/overlay/bin/remsh +++ b/rel/overlay/bin/remsh @@ -55,11 +55,10 @@ if test -f "$ARGS_FILE"; then ARGS_FILE_COOKIE=$(awk '$1=="-setcookie"{print $2}' "$ARGS_FILE") COOKIE="${COOKIE:-$ARGS_FILE_COOKIE}" fi -COOKIE="${COOKIE:-monster}" printHelpAndExit() { echo "Usage: ${PROGNAME} [OPTION]... [-- <additional Erlang cli options>]" - echo " -c cookie specify shared Erlang cookie (default: monster)" + echo " -c cookie specify shared Erlang cookie" echo " -l HOST specify remsh's host name (default: 127.0.0.1)" echo " -m use output of \`hostname -f\` as remsh's host name" echo " -n NAME@HOST specify couchdb's Erlang node name (-name in vm.args)" @@ -114,6 +113,11 @@ fi # to avoid conflicts with the cli parameters ERL_FLAGS_CLEAN=$(echo "$ERL_FLAGS" | sed 's/-setcookie \([^ ][^ ]*\)//g' | sed 's/-name \([^ ][^ ]*\)//g') +if [ -z "${COOKIE}" ]; then + echo "No Erlang cookie could be found, please specify with -c" >&2 + exit 1 +fi + if [ -z "$TLSCONF" ]; then exec env ERL_FLAGS="$ERL_FLAGS_CLEAN" "$BINDIR/erl" -boot "$ROOTDIR/releases/$APP_VSN/start_clean" \ -name remsh$$@$LHOST -remsh $NODE -hidden -setcookie $COOKIE \ diff --git a/rel/overlay/etc/vm.args b/rel/overlay/etc/vm.args index 8da600bc3..704cb54d8 100644 --- a/rel/overlay/etc/vm.args +++ b/rel/overlay/etc/vm.args @@ -38,9 +38,8 @@ {{node_name}} # All nodes must share the same magic cookie for distributed Erlang to work. -# Comment out this line if you synchronized the cookies by other means (using -# the ~/.erlang.cookie file, for example). --setcookie monster +# Uncomment the following line and append a securely generated random value. +# -setcookie # Tell kernel and SASL not to log anything -kernel error_logger silent diff --git a/src/couch/src/couch_sup.erl b/src/couch/src/couch_sup.erl index 033f7115f..f13bc9917 100644 --- a/src/couch/src/couch_sup.erl +++ b/src/couch/src/couch_sup.erl @@ -25,6 +25,7 @@ -include_lib("couch/include/couch_db.hrl"). start_link() -> + assert_no_monsters(), assert_admins(), maybe_launch_admin_annoyance_reporter(), write_pidfile(), @@ -86,6 +87,25 @@ handle_config_change(_, _, _, _, _) -> handle_config_terminate(_Server, _Reason, _State) -> ok. +assert_no_monsters() -> + couch_log:info("Preflight check: Checking For Monsters~n", []), + case erlang:get_cookie() of + monster -> + couch_log:info( + "~n%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%~n" ++ + " Monster detected ohno!, aborting startup. ~n" ++ + " Please change the Erlang cookie in vm.args to the same ~n" ++ + " securely generated random value on all nodes of this cluster. ~n" ++ + "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%~n", + [] + ), + % Wait a second so the log message can make it to the log + timer:sleep(500), + erlang:halt(1); + _ -> + ok + end. + assert_admins() -> couch_log:info("Preflight check: Asserting Admin Account~n", []), case {config:get("admins"), os:getenv("COUCHDB_TEST_ADMIN_PARTY_OVERRIDE")} of |