janl commented on PR #5327: URL: https://github.com/apache/couchdb/pull/5327#issuecomment-2446324175
I’m leaving this here by way of an official record for reviewing this. In the old times, we loaded the Erlang MFAs from CouchDB config and then executed those. This allowed CouchDB admins to change what native code would be running as the `couchdb` operating system user. We [closed](https://github.com/apache/couchdb/pull/1602) a number of vulnerabilities[1] with refactoring this so that the native code definition comes from environment variables and not CouchDB config and thus be out of reach for just CouchDB admins. We also made it so that these env vars are only loaded on module initialisation and not dynamically. The desired security properties however come from moving the MFA definition to env vars (and also making them not strictly raw MFAs), the not-dynamic-loading was just an added bonus. This patch makes loading those values dynamic again, but by the above analysis, that should not open us up to new (or old) attack vectors, as someone who can change the env of a running process is already further ahead than this vector would get them. Can someone double check my logic here? [1]: - https://docs.couchdb.org/en/stable/cve/2017-12636.html - https://docs.couchdb.org/en/stable/cve/2018-11769.html - https://docs.couchdb.org/en/stable/cve/2018-8007.html -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
