Sentinel: add an option to deny online script reconfiguration.

The ability of "SENTINEL SET" to change the reconfiguration script at runtime is a problem even in the security model of Redis: any client inside the network may set any executable to be ran once a failover is triggered. This option adds protection for this problem: by default the two SENTINEL SET subcommands modifying scripts paths are denied. However the user is still able to rever that using the Sentinel configuration file in order to allow such a feature.
author: antirez <antirez@gmail.com> 2018-06-14 18:57:58 +0200
committer: antirez <antirez@gmail.com> 2018-06-14 18:57:58 +0200
commit: 6a66b93b186506bcd37f147cbb353f0961a03870 (patch)
tree: 0e315ddfe1b9e608750b4f2dc50e5a3c779e7efe /sentinel.conf
parent: d353023a83de1377c05fd45ccab628ff5cb61186 (diff)
download: redis-6a66b93b186506bcd37f147cbb353f0961a03870.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/sentinel.conf b/sentinel.conf
index 0e1b266ed..38b097254 100644
--- a/sentinel.conf
+++ b/sentinel.conf
@@ -194,3 +194,12 @@ sentinel failover-timeout mymaster 180000
 #
 # sentinel client-reconfig-script mymaster /var/redis/reconfig.sh
 
+# SECURITY
+#
+# By default SENTINEL SET will not be able to change the notification-script
+# and client-reconfig-script at runtime. This avoids a trivial security issue
+# where clients can set the script to anything and trigger a failover in order
+# to get the program executed.
+
+sentinel deny-scripts-reconfig yes
+
author	antirez <antirez@gmail.com>	2018-06-14 18:57:58 +0200
committer	antirez <antirez@gmail.com>	2018-06-14 18:57:58 +0200
commit	6a66b93b186506bcd37f147cbb353f0961a03870 (patch)
tree	0e315ddfe1b9e608750b4f2dc50e5a3c779e7efe /sentinel.conf
parent	d353023a83de1377c05fd45ccab628ff5cb61186 (diff)
download	redis-6a66b93b186506bcd37f147cbb353f0961a03870.tar.gz