Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-25335

0002 umask yields world-readable .dbshell history file

    XMLWordPrintable

Details

    • Minor Change
    • ALL
    • v3.2, v3.0
    • Hide

      rm ~/.dbshell
      echo test | mongo
      ls -la ~/.dbshell
      

      Show
      rm ~/.dbshell echo test | mongo ls -la ~/.dbshell
    • 27

    Description

      During a very similar bug report on redis (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832460), lamby@ linked to a code search which hinted a similar bug in mongodb.

      I've verified this bug exists in 2.4.10 (current mongodb in debian stable), but I'm not sure about the latest version.

      I think the severity for this bug is lower, given that db.auth isn't written to ~/.dbshell, but it might leak sensitive application specific information that might be useful for a local attacker.

      I suggest the permissions should be set to the user only (0600) instead of world readable (0644, current permissions).

      Attachments

        Issue Links

          Activity

            People

              kevin.pulo@mongodb.com Kevin Pulo
              kpcyrd kpcyrd
              Votes:
              2 Vote for this issue
              Watchers:
              20 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: