Halaman utama Jelajahi Bantuan
Masuk
kennyh
/
emqx4.3
1
0
Fork 0
Berkas Masalah 0 Tarik Permintaan 0 Wiki
Jelajahi Sumber

fix(security): don't silently load dynlibs

User now must set envvar RUN_EMQX_UNSAFE="I_AGREE" to load dynlibs in
the package.
William Yang 1 tahun lalu
induk
c84f6857b3
melakukan
655f51da4b
2 mengubah file dengan 12 tambahan dan 0 penghapusan
Tampilan Split Tampilkan Statistik Diff
  1. 7 0
      bin/emqx
  2. 5 0
      changes/ce/breaking-14063.en.md

+ 7 - 0
bin/emqx
Tampilan Berkas 

@@ -374,6 +374,13 @@ maybe_use_portable_dynlibs() {
 
     BUILD_INFO="$(cat "${REL_DIR}/BUILD_INFO")"
 
     COMPATIBILITY_INFO="$(compatiblity_info 2>/dev/null || true)"
 
     if ! (echo -e "$COMPATIBILITY_INFO" | $GREP -q 'CRYPTO_OK'); then
 
+        if [[ ${RUN_EMQX_UNSAFE:-} != "I_AGREE" ]] ; then
 
+            logerr "Please ensure libcrypto, libncurses and libatomic1 are properly installed via Opearating System package manager."
 
+            logerr "You may set environment variable RUN_EMQX_UNSAFE=I_AGREE to workaround this but not recommended from security perspective."
 
+            logerr "For more information check: https://docs.emqx.com/en/emqx/latest/faq/deployment.html#emqx-failed-to-start-with-log-message-on-load-function-failed-crypto"
 
+            die "Unsafe operation detected."
 
+        fi
 
+
 
         ## failed to start, might be due to missing libs, try to be portable
 
         export LD_LIBRARY_PATH="${LD_LIBRARY_PATH:-$DYNLIBS_DIR}"
 
         if [ "$LD_LIBRARY_PATH" != "$DYNLIBS_DIR" ]; then

+ 5 - 0
changes/ce/breaking-14063.en.md
Tampilan Berkas 

@@ -0,0 +1,5 @@
 
+For security, user now must set envvar `RUN_EMQX_UNSAFE`="I_AGREE" to load dynlibs in the tar release package.
 
+
 
+This only affects the EMQX tar release package.
 
+This does not affect the OS installation packages (rpm, deb).
 
+