From 6a66b93b186506bcd37f147cbb353f0961a03870 Mon Sep 17 00:00:00 2001
From: antirez <antirez@gmail.com>
Date: Thu, 14 Jun 2018 18:57:58 +0200
Subject: Sentinel: add an option to deny online script reconfiguration.

The ability of "SENTINEL SET" to change the reconfiguration script at
runtime is a problem even in the security model of Redis: any client
inside the network may set any executable to be ran once a failover is
triggered.

This option adds protection for this problem: by default the two
SENTINEL SET subcommands modifying scripts paths are denied. However the
user is still able to rever that using the Sentinel configuration file
in order to allow such a feature.
---
 sentinel.conf | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'sentinel.conf')

diff --git a/sentinel.conf b/sentinel.conf
index 0e1b266ed..38b097254 100644
--- a/sentinel.conf
+++ b/sentinel.conf
@@ -194,3 +194,12 @@ sentinel failover-timeout mymaster 180000
 #
 # sentinel client-reconfig-script mymaster /var/redis/reconfig.sh
 
+# SECURITY
+#
+# By default SENTINEL SET will not be able to change the notification-script
+# and client-reconfig-script at runtime. This avoids a trivial security issue
+# where clients can set the script to anything and trigger a failover in order
+# to get the program executed.
+
+sentinel deny-scripts-reconfig yes
+
-- 
cgit v1.2.1