Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-39947

mongod/mongos socket should be world-accessible if server is listening on a TCP port

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor - P4
    • Resolution: Works as Designed
    • Affects Version/s: 4.1.8
    • Fix Version/s: None
    • Component/s: Networking
    • Labels:
      None
    • Sprint:
      Security 2019-03-25, Security 2019-04-08

      Description

      By default, mongod/mongos creates its socket with 0700 permissions:

      speed% ls -l /tmp/mongodb-27017.sock
      srwx------ 1 sandbox sandbox 0 Mar  4 13:13 /tmp/mongodb-27017.sock
      

      This means in order to use the server via the socket, if the server is running as its own user, one has to adjust socket permissions.

      The restrictive socket permissions add no security if mongod/mongos is also listening on a TCP port, as any local user is able to connect to the server via TCP. Therefore if the server is listening on a TCP port, it should create the socket with 0666 permissions.

      I imagine an administrator can configure a local firewall to deny local access to TCP ports, but this is a very uncommon situation and someone doing something like this would surely not only audit socket permissions, but also configure mongod to put its sockets into directories which are not world-accessible as an additional layer of security.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: