Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-2768

mongoimport shows clear password in ps

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor - P4
    • Resolution: Duplicate
    • 100.2.0
    • No versions
    • None
    • Linux

    Description

      When you run mongoimport with password then every user on the host can see the password as clear text by using simple `ps` command.

      The command-line masks the password, however in process arguments it is shown as clear text:

       

      $ mongoimport --username=syslog-ng --password=secretPassword --authenticationDatabase=admin --db=mip --collection=sessions.raw 
      2020-11-05T09:33:56.375+0100    connected to: mongodb://localhost/
       
      $ mongoimport --uri=mongodb://syslog-ng:secretPassword@localhost/mip?authSource=admin -c sessions.raw
      2020-11-05T09:34:41.244+0100    connected to: mongodb://[**REDACTED**]@localhost/mip?authSource=admin
       
       
      $ ps -fp $(pidof -sx mongoimport)
       
      UID        PID  PPID  C STIME TTY          TIME CMD
      mediati+ 13301 13168  0 09:27 pts/1    00:00:00     mongoimport --username=syslog-ng --password=secretPassword --authenticationDatabase=admin --db=mip --collection=sessions.raw
       
      UID        PID  PPID  C STIME TTY          TIME CMD
      mediati+ 56595 56547  0 Nov04 ?        00:05:06     mongoimport --uri=mongodb://syslog-ng:secretPassword@localhost/mip?authSource=admin -c sessions.raw
      
      

      For comparison have a look at `mongo` shell, there the password is hidden as it should be:

      $ mongo --username=syslog-ng --password=secretPassword --authenticationDatabase=admin mip
      $ mongo mongodb://syslog-ng:secretPassword@localhost/mip?authSource=admin 
       
      $ ps -fp $(pidof -sx mongo)
       
      UID        PID  PPID  C STIME TTY          TIME CMD
      mediati+ 13434 13168  0 09:28 pts/1    00:00:00     mongo --username=syslog-ng --password=xxxxxxxx --authenticationDatabase=admin mip
       
      UID        PID  PPID  C STIME TTY          TIME CMD
      mediati+ 23607 13168  1 09:37 pts/1    00:00:00     mongo mongodb://syslog-ng@localhost/mip
       
      
      

       

      Any plans to get rid of this security flaw?

       

      Kind Regards
      Wernfried

       

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              wernfried.domscheit@sunrise.net Wernfried Domscheit
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: