[SERVER-13022] AF_UNIX socket file should not force a default mode of 0777. Created: 04/Mar/14  Updated: 12/Apr/15  Resolved: 29/May/14

Status: Closed
Project: Core Server
Component/s: Networking, Security
Affects Version/s: None
Fix Version/s: 2.7.2

Type: Bug Priority: Major - P3
Reporter: Robert Moore Assignee: David Hows
Resolution: Done Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by SERVER-16086 Should not open the Unix Domain Socke... Closed
Related
related to SERVER-14110 Inconsistent handling of numerical ba... Closed
related to DOCS-5203 3.0 compatibility notes should mentio... Closed
related to SERVER-18000 Mongodb socket permissions Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Participants:

 Description   

This allows users other than the user running the server to access the socket file by default. The mode should default to 0700 and potentially provide an options for users to modify the default.

                if (chmod(me.getAddr().c_str(), 0777) == -1) {
                    error() << "couldn't chmod socket file " << me << errnoWithDescription() << endl;
                }
 

The current code does not even allow a user to create the socket file before the mongod/s process starts with appropriate permissions as the mongod/s always sets the permissions to 0777. This could allow an attacker to connect to the socket before the user can restrict the permissions.



 Comments   
Comment by Githook User [ 29/May/14 ]

Author:

{u'username': u'daveh86', u'name': u'daveh86', u'email': u'howsdav@gmail.com'}

Message: SERVER-13022 added option to set permissions on UNIX domain socket file

Signed-off-by: Benety Goh <benety@mongodb.com>
Branch: master
https://github.com/mongodb/mongo/commit/2de7dc34561667c1873f76f39300f9826c159c20

Comment by Andy Schwerin [ 05/Mar/14 ]

A workaround while this is unresolved is to use the unixSocketPrefix command line option to place the socket in a directory with restricted permissions.

Generated at Thu Feb 08 03:30:23 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.