Details
-
Task
-
Status: Closed
-
Major - P3
-
Resolution: Fixed
-
None
-
None
-
None
-
3
-
ServerDocs2020: Jan5 - Jan12, ServerDocs2020: Jan12 - Jan19, ServerDocs2020: Jan19 - Jan26, ServerDocs2020: Jan26 - Feb2, ServerDocs2020: Feb2 - Feb9, ServerDocs2020: Feb9 - Feb16
Description
Description
some docs changes proposed in "behavioral description" section of the tech design doc
(https://docs.google.com/document/d/1nh_gb_iMapJfCV5eeHFAr_awwckyv73lGZRb6RUih2c/edit#heading=h.2s9zdv6a57gn)
Engineering Description
Summary
The scope for this project aims to determine what action, if any, is needed to prevent or mitigate the visibility of password arguments in ps output.
Motivation
Currently, there are two ways to provide a password to the tools. One is on the command line via the --password flag, and the other is via stdin (when --password="" or --username is set without --password). When the password is provided on the command line, it is visible in the output of ps (or, more generally, to anyone with access to the process table).
Over the years, this behavior has been discussed in the context of the tools (TOOLS-1020), the server (SECURITY-26), and other products like the BI Connector (BI-846). The discussion resurfaced recently.
Past discussions and product decisions do not clearly indicate the correct course of action for the tools. For example, the mongo shell overwrites passwords in the command-line with “x” characters, while the tools have elected not to do the same in the past, citing security concerns. The BI Connector has also elected not to obscure command-line passwords, as it is possible for users to provide passwords via other means.
Scope of changes
Impact to Other Docs
MVP (Work and Date)
Resources (Scope or Design Docs, Invision, etc.)
Attachments
Issue Links
- documents
-
TOOLS-2447 Improve processlist output
-
- Closed
-