-
Type: Epic
-
Resolution: Fixed
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
Needed
-
-
Done
-
Improve processlist output
-
1
-
0
-
Summary
The scope for this project aims to determine what action, if any, is needed to prevent or mitigate the visibility of password arguments in ps output.
Motivation
Currently, there are two ways to provide a password to the tools. One is on the command line via the --password flag, and the other is via stdin (when --password="" or --username is set without --password). When the password is provided on the command line, it is visible in the output of ps (or, more generally, to anyone with access to the process table).
Over the years, this behavior has been discussed in the context of the tools (TOOLS-1020), the server (SECURITY-26), and other products like the BI Connector (BI-846). The discussion resurfaced recently.
Past discussions and product decisions do not clearly indicate the correct course of action for the tools. For example, the mongo shell overwrites passwords in the command-line with “x” characters, while the tools have elected not to do the same in the past, citing security concerns. The BI Connector has also elected not to obscure command-line passwords, as it is possible for users to provide passwords via other means.
- is duplicated by
-
SERVER-52537 Mongostat,mongotop and other similar mongo commands are showing password in plain text on linux ps commands
- Closed
-
TOOLS-2768 mongoimport shows clear password in ps
- Closed
- is related to
-
TOOLS-1020 mongodump/mongorestore shows clear password in the process list
- Closed
-
SERVER-5897 Backup with mongodump protecting the credentials
- Closed
-
TOOLS-151 CLI tools should take username/password from the environment.
- Closed
-
TOOLS-1782 Mask password from being displayed in process list
- Closed