Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-13022

AF_UNIX socket file should not force a default mode of 0777.

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.7.2
    • Component/s: Networking, Security
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL

      Description

      This allows users other than the user running the server to access the socket file by default. The mode should default to 0700 and potentially provide an options for users to modify the default.

                      if (chmod(me.getAddr().c_str(), 0777) == -1) {
                          error() << "couldn't chmod socket file " << me << errnoWithDescription() << endl;
                      }
       

      The current code does not even allow a user to create the socket file before the mongod/s process starts with appropriate permissions as the mongod/s always sets the permissions to 0777. This could allow an attacker to connect to the socket before the user can restrict the permissions.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: