[SERVER-25335] 0002 umask yields world-readable .dbshell history file - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: 2.4.10
Fix Version/s: 3.0.15, 3.2.14, 3.3.14
Component/s: Security
Labels:

Backwards Compatibility:
Minor Change
Operating System:
ALL
Backport Requested:

v3.2, v3.0
Steps To Reproduce:
Hide

rm ~/.dbshell

echo test | mongo

ls -la ~/.dbshell
Show
rm ~/.dbshell echo test | mongo ls -la ~/.dbshell
Linked BF Score:
27

Description

During a very similar bug report on redis (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832460), lamby@ linked to a code search which hinted a similar bug in mongodb.

I've verified this bug exists in 2.4.10 (current mongodb in debian stable), but I'm not sure about the latest version.

I think the severity for this bug is lower, given that db.auth isn't written to ~/.dbshell, but it might leak sensitive application specific information that might be useful for a local attacker.

I suggest the permissions should be set to the user only (0600) instead of world readable (0644, current permissions).

Attachments

Issue Links

is related to

SERVER-26489 mongo shell no longer records history of commands

Closed

SERVER-25963 shell should warn user if .dbshell history file is read/writeable by other users

Closed

related to

SERVER-22992 wait_for_pid() function in shell_utils_launcher.cpp doesn't wait for program output to finish being consumed

Closed

links to

Pull request #1106

Activity

People

Assignee:: Kevin Pulo

Reporter:: kpcyrd

Participants:: Githook User, Grant Ridder, Kevin Pulo, kpcyrd, Marek Skalický, Ramon Fernandez Marina

Votes:: 2 Vote for this issue

Watchers:: 20 Start watching this issue

Dates

Created:: Jul 29 2016 02:36:06 PM UTC

Updated:: Jun 07 2017 06:18:05 PM UTC

Resolved:: Sep 06 2016 01:55:28 AM UTC