-
Type: Improvement
-
Resolution: Works as Designed
-
Priority: Minor - P4
-
None
-
Affects Version/s: 4.1.8
-
Component/s: Networking
-
Labels:None
-
Security 2019-03-25, Security 2019-04-08
By default, mongod/mongos creates its socket with 0700 permissions:
speed% ls -l /tmp/mongodb-27017.sock srwx------ 1 sandbox sandbox 0 Mar 4 13:13 /tmp/mongodb-27017.sock
This means in order to use the server via the socket, if the server is running as its own user, one has to adjust socket permissions.
The restrictive socket permissions add no security if mongod/mongos is also listening on a TCP port, as any local user is able to connect to the server via TCP. Therefore if the server is listening on a TCP port, it should create the socket with 0666 permissions.
I imagine an administrator can configure a local firewall to deny local access to TCP ports, but this is a very uncommon situation and someone doing something like this would surely not only audit socket permissions, but also configure mongod to put its sockets into directories which are not world-accessible as an additional layer of security.