Don't the other KVs implement M/R as well? If so, how is it they don't have a similar exploit? Is this issue due specifically to Basho's usage of Erlang for processing M/R?
Is it possible to circumvent this type of exploit by running Erlang & Riak as unprivileged users? Seems sandboxing may be needed for all nodes to ensure server integrity. If someone made it into a node somehow (regardless of public availability), it's still quite a concern that they could then exploit Riak to gain root access. * <http://www.loomlearning.com/> Jonathan Langevin Manager, Information Technology Loom Inc. Wilmington, NC: (910) 241-0433 - jlange...@loomlearning.com - www.loomlearning.com - Skype: intel352 * On Wed, Oct 19, 2011 at 7:29 PM, Eric Redmond <eric.redm...@gmail.com>wrote: > There's exposing and then there's *exposing* (like celebrity nip-slip > versus leaked sex tape... yes, my mind went there). A DB like Postgres is > fairly harmless to expose, since it has so much built-in security there's > not much danger in it. Of course you still need to secure your server, but > to offer accounts and databases to multiples users is fairly safe, since you > can lock down a lot. > > Even other KVs like Redis can be largely exposed, you can just route > requests to a block of DBs per account and globally suppress some of the > more destructive commands like FLUSHALL. > > MongoHQ makes a living offering exposed mongo instances to people. You need > to monitor for over-utilization, sure, but support is robust. > > Riak offers little in the way of multitenancy. I've hacked a solution in > node.js to control per-account bucket access, but Kyle points out > interesting issue. The fact that one can execute arbitrary erlang poses > another layer of security risk, and anyone who dreams of being a Riak host > (ala MongoHQ) must deal with the issue. > > Eric > > On Oct 19, 2011, at 4:18 PM, Paul Fisher wrote: > > Generally I would never put any database open on the Internet... Is there > something special about Riak that would cause people to change this rule of > thumb? > > -- > paul > > On Oct 19, 2011, at 4:50 PM, "Aphyr" <ap...@aphyr.com> wrote: > > With Eric Redmond's permission*, I am releasing a proof-of-concept > > exploit which uses Riak's mapreduce API to execute arbitrary Erlang code > > and obtain shell access. > > > http://aphyr.com/journals/show/do-not-expose-riak-directly-to-the-internet > > > Please stop doing this. > > > --Kyle > > > * Eric (http://crudcomic.com/post/11656603627/downside-of-crowdsourcing) > > announced a publicly accessible Riak cluster today; with his > > permission/supervision I used this exploit to gain shell access to his > > server. He's taken down that cluster and encouraged me to release this > > information. > > > I love the idea of a public sandbox for Riak--but it should be wrapped > > in a rate-limiting HTTP proxy that only allows certain URLs, object > > sizes, and methods. And limits the number of keys. :) > > > _______________________________________________ > > riak-users mailing list > > riak-users@lists.basho.com > > http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com > > > > _______________________________________________ > riak-users mailing list > riak-users@lists.basho.com > http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com > >
_______________________________________________ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
