[SERVER-11887] Default file permissions on mongod and audit logs Created: 27/Nov/13  Updated: 18/Jun/19  Resolved: 26/Oct/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.5.4
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Mark Helmstetter Assignee: Jonathan Reams
Resolution: Duplicate Votes: 0
Labels: Auditing, platforms-re-triaged, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Duplicate
is duplicated by SERVER-36977 Initial mongod.log is created using u... Closed
Related
is related to SERVER-22829 WiredTiger data files world-readable Closed
Operating System: ALL
Sprint: Security 2018-10-22, Security 2018-11-05
Participants:

 Description   

The mongod and audit logs appear to permissions of 644. Ideally these should default to 600, and perhaps provide the ability for that to be overridden.

This is a security requirement specified under the DISA STIG.



 Comments   
Comment by Jonathan Reams [ 26/Oct/18 ]

This should be fixed by SERVER-36977 which adds a test to make sure the normal server and audit log permissions match the umask of the process.

Comment by Spencer Jackson [ 14/Sep/18 ]

SERVER-22829 made the server set umasks and provided a way to override the defaults. However, the umask appears to not be being set until after the log file is open. This is likely related to SERVER-36977.

Generated at Thu Feb 08 03:27:00 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.