[SERVER-13022] AF_UNIX socket file should not force a default mode of 0777. Created: 04/Mar/14 Updated: 12/Apr/15 Resolved: 29/May/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Networking, Security |
| Affects Version/s: | None |
| Fix Version/s: | 2.7.2 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Robert Moore | Assignee: | David Hows |
| Resolution: | Done | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||
| Description |
|
This allows users other than the user running the server to access the socket file by default. The mode should default to 0700 and potentially provide an options for users to modify the default.
The current code does not even allow a user to create the socket file before the mongod/s process starts with appropriate permissions as the mongod/s always sets the permissions to 0777. This could allow an attacker to connect to the socket before the user can restrict the permissions. |
| Comments |
| Comment by Githook User [ 29/May/14 ] |
|
Author: {u'username': u'daveh86', u'name': u'daveh86', u'email': u'howsdav@gmail.com'}Message: Signed-off-by: Benety Goh <benety@mongodb.com> |
| Comment by Andy Schwerin [ 05/Mar/14 ] |
|
A workaround while this is unresolved is to use the unixSocketPrefix command line option to place the socket in a directory with restricted permissions. |