allow more characters in cookie

[rnewson]

A cookie value with a '/' in it caused a sed error during postinst;

sed: -e expression #1, char 53: unknown option to `s'

Instead of a sed substitution we use /c to replace the cookie line. this permits most characters to get through. we escape backslashes prior to interpreting them when constructing the sed line.

I applied the same change to nodename even though a / in node name would be an error, for consistency.

[big-r81]

+1

[nickva]

Tested with:

$ export cookie=a:/b@1x

$ cat text.txt 
#  -setcookie foo

$ sed -i "$(printf 's\30^[# ]*-setcookie.*$\30-setcookie %s\30' ${cookie})" text.txt

$ cat text.txt 
-setcookie a:/b@1x

[nickva]

The rpm side of things could have the same problem:

couchdb-pkg/rpm/SPECS/couchdb.spec.in

Line 156 in c928bd6

%{__sed} -i "s/^-setcookie monster.*$/-setcookie ${cookie}/" /opt/%{name}/etc/vm.args

Should we fix it there too, or as a separate PR perhaps?

[nickva]

Setting the cookie worked. I rebuilt debian-buster deb with it and installed in a VM.

deb install dialog:

CouchDB Erlang magic cookie: a \nb#$/c/d@:1

vm.args file

-setcookie 'a 
b#$/c/d@:1'

CouchDB seems to start and I can access it via curl.

However, unfortunately the single quotes seem to break our remsh script.

couchdb@debian10:~$ ./bin/remsh 
Erlang/OTP 24 [erts-12.3.2.7] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [jit]

*** ERROR: Shell process terminated! (^G to start new job) ***

Likely due to assumptions how we parse the cookie value there https://github.com/apache/couchdb/blob/3181d928e060687e2a214192ba17c401811c6da3/rel/overlay/bin/remsh#L50-L57

ARGS_FILE_COOKIE=$(awk '$1=="-setcookie"{print $2}' "$ARGS_FILE")

[rnewson]

you can specify a cookie with spaces if you do so correctly;

-setcookie 'foo bar baz'

Just the same as you would have to single quote that atom in erlang code itself.

My modification at least allows the use of / and many other characters (including space) that previously might have been issues, so this is an improvement.

I am not sure how to do the same on the RPM side as it appears not to be a shell script as such. I will try, however.

[nickva]

Testing with commit 567d1c4 on a Debian Buster VM:

I see \n escaped properly but some control characters get through. If users can type in \ as one of the characters they could generate any of the control characters.

cookie: a b\n\t\xd#{}()[]$&^!-=+?|//c\\d\\\e\\\\f
-setcookie 'a b\n ^M#{}()[]$&^!-=+?|//c\d\e\\f'

another example

cookie: a\n\t\ \x\\y\\\z//w///
-setcookie 'a\n x\y\z//w///'

RPM test on CentOS 7

It seems the replacement had stopped working both for the user supplied cookie in a variable or for the randomly generated one:

[root@nvcentos7 ~]# export COUCHDB_COOKIE='a b\n\t\xd#{}()[]$&^!-=+?|//c\\d\\\e\\\\f'
[root@nvcentos7 ~]# echo ${COUCHDB_COOKIE}
a b\n\t\xd#{}()[]$&^!-=+?|//c\\d\\\e\\\\f
[root@nvcentos7 ~]# rpm -i couchdb-3.3.1.1.1-1.el7.x86_64.rpm 
Using defined COUCHDB_COOKIE value.

# All nodes must share the same magic cookie for distributed Erlang to work.
# Uncomment the following line and append a securely generated random value.
# -setcookie

For random generated one:

[root@nvcentos7 ~]# rpm -i couchdb-3.3.1.1.1-1.el7.x86_64.rpm 
Generating random cookie value.
[root@nvcentos7 ~]# grep setcookie /opt/couchdb/etc/vm.args 
# -setcookie

[nickva]

Testing with 1b18b7c

RPM on CentOS 7 works as expected:

Random new cookie:

[root@nvcentos7 ~]# rpm -i couchdb-3.3.1.1.1-1.el7.x86_64.rpm 
Generating random cookie value.
[root@nvcentos7 ~]# grep setcookie /opt/couchdb/etc/vm.args 
-setcookie '2MJoDeihWIblBBbSjiHAP5efEr5t8UoTCoiNLNBgf5Ju3Ry8'

Custom cookie:

[root@nvcentos7 ~]# export COUCHDB_COOKIE='a b\n\t\xd#{}()[]$&^!-=+?|//c\\d\\\e\\\\f'
[root@nvcentos7 ~]# rpm -i couchdb-3.3.1.1.1-1.el7.x86_64.rpm 
Using defined COUCHDB_COOKIE value.
[root@nvcentos7 ~]# grep setcookie /opt/couchdb/etc/vm.args 
-setcookie 'a b\n\t\xd#{}()[]$&^!-=+?|//c\\d\\\e\\\\f'

remsh didn't work but that's expected, I re-wrote bin/remsh to use a similar vm.args file with just the -setcookie to be able to log in to verify that the cookie was set instead of being silently replaced with a weak default one:

> erlang:get_cookie().
'a b\\n\\t\\xd#{}()[]$&^!-=+?|//c\\\\d\\\\\\e\\\\\\\\f'

> io:format("~s~n", [erlang:get_cookie()]).
a b\n\t\xd#{}()[]$&^!-=+?|//c\\d\\\e\\\\f
ok

Works on Debian Buster

Install dialog: a b\n\t\xd#{}()[]$&^!-=+?|//c\\d\\\e\\\\f

sudo grep setcookie /opt/couchdb/etc/vm.args
-setcookie 'a b\n\t\xd#{}()[]$&^!-=+?|//c\\d\\\e\\\\f'

We'll have to fix remsh cookie parsing in the main repo before the next release. But cookie prompt and replacement in this repo works well. Thanks for the fix!

+1