Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-2768

mongoimport shows clear password in ps

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor - P4
    • Resolution: Duplicate
    • Affects Version/s: 100.2.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Environment:
      Linux

      Description

      When you run mongoimport with password then every user on the host can see the password as clear text by using simple `ps` command.

      The command-line masks the password, however in process arguments it is shown as clear text:

       

      $ mongoimport --username=syslog-ng --password=secretPassword --authenticationDatabase=admin --db=mip --collection=sessions.raw 
      2020-11-05T09:33:56.375+0100    connected to: mongodb://localhost/
       
      $ mongoimport --uri=mongodb://syslog-ng:secretPassword@localhost/mip?authSource=admin -c sessions.raw
      2020-11-05T09:34:41.244+0100    connected to: mongodb://[**REDACTED**]@localhost/mip?authSource=admin
       
       
      $ ps -fp $(pidof -sx mongoimport)
       
      UID        PID  PPID  C STIME TTY          TIME CMD
      mediati+ 13301 13168  0 09:27 pts/1    00:00:00     mongoimport --username=syslog-ng --password=secretPassword --authenticationDatabase=admin --db=mip --collection=sessions.raw
       
      UID        PID  PPID  C STIME TTY          TIME CMD
      mediati+ 56595 56547  0 Nov04 ?        00:05:06     mongoimport --uri=mongodb://syslog-ng:secretPassword@localhost/mip?authSource=admin -c sessions.raw
      
      

      For comparison have a look at `mongo` shell, there the password is hidden as it should be:

      $ mongo --username=syslog-ng --password=secretPassword --authenticationDatabase=admin mip
      $ mongo mongodb://syslog-ng:secretPassword@localhost/mip?authSource=admin 
       
      $ ps -fp $(pidof -sx mongo)
       
      UID        PID  PPID  C STIME TTY          TIME CMD
      mediati+ 13434 13168  0 09:28 pts/1    00:00:00     mongo --username=syslog-ng --password=xxxxxxxx --authenticationDatabase=admin mip
       
      UID        PID  PPID  C STIME TTY          TIME CMD
      mediati+ 23607 13168  1 09:37 pts/1    00:00:00     mongo mongodb://syslog-ng@localhost/mip
       
      
      

       

      Any plans to get rid of this security flaw?

       

      Kind Regards
      Wernfried

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              wernfried.domscheit@sunrise.net Wernfried Domscheit
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: