Tools installed by RPM packages to /usr/bin are owned by mongod:mongod instead of root:root

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Fixed
    • Priority: Minor - P4
    • 100.5.3
    • Affects Version/s: None
    • Component/s: None
    • None

      A customer security scan (OpenSCAP) is flagging an issue with the way we install database-tools, which are now installed in /usr/bin but owned by mongod:mongod (this is on a RHEL 8.5 system). This is at odds with the security-issued guidance that all files in this directory should be owned by root:root. Our setup is certainly anomalous - out of hundreds of files in this location, only the MDB tools are owned by a non-root user. And after a little bit of investigation, I determined also that we used to install tools as root:root, prior to separating out the tools from the core server in 4.4.

      Was this change done deliberately? If so, what security-focused rationale can I provide the customer? Alternatively, should we consider reverting back to the more conventional approach?

      Here is the relevant guidance published in the RHEL8 STIG (Security Technical Implementation Guide):

      https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2021-12-03/finding/V-230259

      https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2021-12-03/finding/V-230258

      RPM building code starts at https://github.com/mongodb/mongo-tools/blob/c714431e657660968a5fd0eedebd0876fae2576e/release/release.go#L312

              Assignee:
              Dave Rolsky
              Reporter:
              Jonathan Janos
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: