Details
-
Bug
-
Status: Closed
-
Minor - P4
-
Resolution: Duplicate
-
100.2.0
-
None
-
None
-
Linux
Description
When you run mongoimport with password then every user on the host can see the password as clear text by using simple `ps` command.
The command-line masks the password, however in process arguments it is shown as clear text:
$ mongoimport --username=syslog-ng --password=secretPassword --authenticationDatabase=admin --db=mip --collection=sessions.raw
|
2020-11-05T09:33:56.375+0100 connected to: mongodb://localhost/ |
|
|
$ mongoimport --uri=mongodb://syslog-ng:secretPassword@localhost/mip?authSource=admin -c sessions.raw |
2020-11-05T09:34:41.244+0100 connected to: mongodb://[**REDACTED**]@localhost/mip?authSource=admin |
|
|
|
|
$ ps -fp $(pidof -sx mongoimport)
|
|
|
UID PID PPID C STIME TTY TIME CMD
|
mediati+ 13301 13168 0 09:27 pts/1 00:00:00 mongoimport --username=syslog-ng --password=secretPassword --authenticationDatabase=admin --db=mip --collection=sessions.raw |
|
|
UID PID PPID C STIME TTY TIME CMD
|
mediati+ 56595 56547 0 Nov04 ? 00:05:06 mongoimport --uri=mongodb://syslog-ng:secretPassword@localhost/mip?authSource=admin -c sessions.raw |
|
For comparison have a look at `mongo` shell, there the password is hidden as it should be:
$ mongo --username=syslog-ng --password=secretPassword --authenticationDatabase=admin mip
|
$ mongo mongodb://syslog-ng:secretPassword@localhost/mip?authSource=admin |
|
|
$ ps -fp $(pidof -sx mongo)
|
|
|
UID PID PPID C STIME TTY TIME CMD
|
mediati+ 13434 13168 0 09:28 pts/1 00:00:00 mongo --username=syslog-ng --password=xxxxxxxx --authenticationDatabase=admin mip |
|
|
UID PID PPID C STIME TTY TIME CMD
|
mediati+ 23607 13168 1 09:37 pts/1 00:00:00 mongo mongodb://syslog-ng@localhost/mip |
|
|
|
Any plans to get rid of this security flaw?
Kind Regards
Wernfried
Attachments
Issue Links
- duplicates
-
TOOLS-2447 Improve processlist output
-
- Closed
-