Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-25335

0002 umask yields world-readable .dbshell history file

    XMLWordPrintable

    Details

    • Backwards Compatibility:
      Minor Change
    • Operating System:
      ALL
    • Backport Requested:
      v3.2, v3.0
    • Steps To Reproduce:
      Hide

      rm ~/.dbshell
      echo test | mongo
      ls -la ~/.dbshell
      

      Show
      rm ~/.dbshell echo test | mongo ls -la ~/.dbshell
    • Linked BF Score:
      10

      Description

      During a very similar bug report on redis (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832460), lamby@ linked to a code search which hinted a similar bug in mongodb.

      I've verified this bug exists in 2.4.10 (current mongodb in debian stable), but I'm not sure about the latest version.

      I think the severity for this bug is lower, given that db.auth isn't written to ~/.dbshell, but it might leak sensitive application specific information that might be useful for a local attacker.

      I suggest the permissions should be set to the user only (0600) instead of world readable (0644, current permissions).

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                2 Vote for this issue
                Watchers:
                20 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: