Details
-
Bug
-
Resolution: Done
-
Critical - P2
-
None
-
Minor Change
-
ALL
Description
Starting with a custom bind_ip, which does not resolve should not be permitted.
$ ./mongod ... --bind_ip=foo
|
...
|
[initandlisten] options: { net: { bindIp: "foo", http: { RESTInterfaceEnabled: true, enabled: true } },...
|
[initandlisten] getaddrinfo("foo") failed: nodename nor servname provided, or not known
|
[initandlisten] waiting for connections on port 27017
|
[websvr] getaddrinfo("foo") failed: nodename nor servname provided, or not known
|
[websvr] admin web console waiting for connections on port 28017
|
As you can see above, even though the bind_ip is specified, the server still listens on all addresses which could be a serious security or ops problem.
$ netstat -na | grep LIST
|
tcp4 0 0 *.28017 *.* LISTEN
|
tcp4 0 0 *.27017 *.* LISTEN
|
If there is any error resolving, or listening on any of the bind_ip (addresses) the server should fail to initialize just like if the port is already used or not allowed to be used for the user/process trying to listen on it.
Here are some examples of similar errors:
// IP specified not valid on the host
|
[initandlisten] listen(): bind() failed errno:49 Can't assign requested address for socket: 127.1.1.1:27017
|
[websvr] listen(): bind() failed errno:49 Can't assign requested address for socket: 127.1.1.1:28017
|
... shutdown
|
// Protected port specified
|
[initandlisten] listen(): bind() failed errno:13 Permission denied for socket: 0.0.0.0:80
|
... shutdown
|
Having a better, and consistent, error message for all these cases might be nice as well, but first and foremost, the system should be stable and secure.
Attachments
Issue Links
- is duplicated by
-
SERVER-15656 Improve bind_ip handling of badly formatted Internet address numbers
-
- Closed
-
- related to
-
SERVER-15630 Empty net.bindIp listens to all interfaces
-
- Closed
-
-
SERVER-15656 Improve bind_ip handling of badly formatted Internet address numbers
-
- Closed
-