mirror of
https://github.com/zulip/zulip.git
synced 2025-10-24 16:43:57 +00:00
The RabbitMQ docs state ([1]): RabbitMQ nodes and CLI tools (e.g. rabbitmqctl) use a cookie to determine whether they are allowed to communicate with each other. [...] The cookie is just a string of alphanumeric characters up to 255 characters in size. It is usually stored in a local file. ...and goes on to state (emphasis ours): If the file does not exist, Erlang VM will try to create one with a randomly generated value when the RabbitMQ server starts up. Using such generated cookie files are **appropriate in development environments only.** The auto-generated cookie does not use cryptographic sources of randomness, and generates 20 characters of `[A-Z]`. Because of a semi-predictable seed, the entropy of this password is thus less than the idealized 26^20 = 94 bits of entropy; in actuality, it is 36 bits of entropy, or potentially as low as 20 if the performance of the server is known. These sizes are well within the scope of remote brute-force attacks. On provision, install, and upgrade, replace the default insecure 20-character Erlang cookie with a cryptographically secure 255-character string (the max length allowed). [1] https://www.rabbitmq.com/clustering.html#erlang-cookie
28 lines
891 B
Bash
Executable File
28 lines
891 B
Bash
Executable File
#!/usr/bin/env bash
|
||
#
|
||
# rabbitmq sets an insecure "magic cookie" which is used for auth;
|
||
# reset it to be longer.
|
||
set -eu
|
||
|
||
cookiefile=/var/lib/rabbitmq/.erlang.cookie
|
||
# If the RabbitMQ distribution cookie is insecure, reset it
|
||
if [ ! -f "$cookiefile" ] || ! size="$(wc -c "$cookiefile")" || [ "${size%% *}" -le 20 ]; then
|
||
running=0
|
||
if service rabbitmq-server status >/dev/null; then
|
||
running=1
|
||
service rabbitmq-server stop
|
||
fi
|
||
|
||
echo "Setting a more secure RabbitMQ distribution magic cookie"
|
||
cookie="$(LC_ALL=C tr -dc '[:alnum:]' </dev/urandom | head -c255)"
|
||
[ "${#cookie}" -eq 255 ] # make sure tr wasn’t OOM-killed
|
||
tmpfile="$(mktemp "$cookiefile.XXXXXXXXXX")"
|
||
chown rabbitmq: "$tmpfile"
|
||
printf '%s' "$cookie" >"$tmpfile"
|
||
mv "$tmpfile" "$cookiefile"
|
||
|
||
if [ "$running" == "1" ]; then
|
||
service rabbitmq-server start
|
||
fi
|
||
fi
|