zulip/scripts/setup
Alex Vandiver a5496f4098 CVE-2021-43799: Set a secure Erlang cookie.
The RabbitMQ docs state ([1]):

    RabbitMQ nodes and CLI tools (e.g. rabbitmqctl) use a cookie to
    determine whether they are allowed to communicate with each
    other. [...] The cookie is just a string of alphanumeric
    characters up to 255 characters in size. It is usually stored in a
    local file.

...and goes on to state (emphasis ours):

    If the file does not exist, Erlang VM will try to create one with
    a randomly generated value when the RabbitMQ server starts
    up. Using such generated cookie files are **appropriate in
    development environments only.**

The auto-generated cookie does not use cryptographic sources of
randomness, and generates 20 characters of `[A-Z]`.  Because of a
semi-predictable seed, the entropy of this password is thus less than
the idealized 26^20 = 94 bits of entropy; in actuality, it is 36 bits
of entropy, or potentially as low as 20 if the performance of the
server is known.

These sizes are well within the scope of remote brute-force attacks.

On provision, install, and upgrade, replace the default insecure
20-character Erlang cookie with a cryptographically secure
255-character string (the max length allowed).

[1] https://www.rabbitmq.com/clustering.html#erlang-cookie
2022-01-25 02:13:53 +00:00
..
apt-repos Remove Ubuntu 18.04 support. 2022-01-21 17:26:14 -08:00
__init__.py setup: Add missing __init__.py. 2021-07-05 12:20:39 -07:00
compare-settings-to-template scripts: Fix running compare-settings-to-template from any CWD. 2021-12-07 14:45:53 -08:00
configure-rabbitmq CVE-2021-43799: Set a secure Erlang cookie. 2022-01-25 02:13:53 +00:00
create-db.sql create-db: Default dbuser and dbname to zulip. 2021-05-26 17:19:11 -07:00
create-pgroonga.sql postgres-create-db: Split into non-pgroonga and pgroonga scripts. 2019-07-17 16:18:22 -07:00
flush-memcached memcached: Switch from pylibmc to python-binary-memcached. 2020-08-06 12:51:14 -07:00
generate_secrets.py settings: Support arbitrary database user and dbname. 2021-05-25 13:46:58 -07:00
generate-rabbitmq-cookie CVE-2021-43799: Set a secure Erlang cookie. 2022-01-25 02:13:53 +00:00
generate-self-signed-cert shfmt: Reformat shell scripts with shfmt. 2020-10-15 15:16:00 -07:00
initialize-database docs: Add missing space to compound verbs “log in”, “set up”, etc. 2021-04-26 09:31:08 -07:00
inline_email_css.py python: Remove locally dead code. 2021-08-19 01:51:37 -07:00
install install: Use a period at end of root error message. 2021-06-23 08:42:46 -07:00
postgresql-init-db postgresql-init-db: Support arbitrary database user and dbname. 2021-05-25 13:56:04 -07:00
reindex-textual-data reindex-textual-data: Reindex textual functional indexes too. 2022-01-07 10:37:04 -08:00
restore-backup python: Replace universal_newlines with text. 2022-01-23 22:16:01 -08:00
setup-certbot setup-certbot: Reinstate nginx reload after installation. 2021-12-10 16:43:53 -08:00
sha256-tarball-to scripts: Use curl -f (--fail). 2021-07-13 16:47:49 -07:00
terminate-psql-sessions terminate-psql-sessions: Rely on the caller to set PGHOST, PGUSER. 2020-06-15 21:37:14 -07:00
upgrade-postgresql upgrade-postgresql: Check for extension upgrade steps. 2021-11-20 07:13:50 -08:00