Protected configs and sensitive commands (#9920)

Block sensitive configs and commands by default.

* `enable-protected-configs` - block modification of configs with the new `PROTECTED_CONFIG` flag.
   Currently we add this flag to `dbfilename`, and `dir` configs,
   all of which are non-mutable configs that can set a file redis will write to.
* `enable-debug-command` - block the `DEBUG` command
* `enable-module-command` - block the `MODULE` command

These have a default value set to `no`, so that these features are not
exposed by default to client connections, and can only be set by modifying the config file.

Users can change each of these to either `yes` (allow all access), or `local` (allow access from
local TCP connections and unix domain connections)

Note that this is a **breaking change** (specifically the part about MODULE command being disabled by default).
I.e. we don't consider DEBUG command being blocked as an issue (people shouldn't have been using it),
and the few configs we protected are unlikely to have been set at runtime anyway.
On the other hand, it's likely to assume some users who use modules, load them from the config file anyway.
Note that's the whole point of this PR, for redis to be more secure by default and reduce the attack surface on
innocent users, so secure defaults will necessarily mean a breaking change.

1 files changed, 4 insertions, 0 deletions

diff --git a/tests/assets/default.conf b/tests/assets/default.conf
index d7b8a75c6..ef15b1041 100644
--- a/tests/assets/default.conf
+++ b/tests/assets/default.conf
@@ -25,3 +25,7 @@ appendonly no
 appendfsync everysec
 no-appendfsync-on-rewrite no
 activerehashing yes
+
+enable-protected-configs yes
+enable-debug-command yes
+enable-module-command yes