[SERVER-14272] Validate security key and PEM files has good security permissions on Windows Created: 16/Jun/14  Updated: 23/Jul/19  Resolved: 23/Jul/19

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.7.2
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Mark Benvenuto Assignee: Mark Benvenuto
Resolution: Won't Fix Votes: 0
Labels: neweng, platforms-re-triaged
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by SERVER-14271 Validate PEM files are not world read... Closed
Operating System: Windows
Sprint: Security 2019-07-29
Participants:

 Description   

See src/mongo/db/auth/security_key.cpp for ifndef _WIN32 code that validates security permissions no security key. We should add similar code for Windows.

#if !defined(_WIN32)
        // check permissions: must be X00, where X is >= 4
        if ((stats.st_mode & (S_IRWXG|S_IRWXO)) != 0) {
            log() << "permissions on " << filename << " are too open" << endl;
            return false;
        }
#endif



 Comments   
Comment by Mark Benvenuto [ 23/Jul/19 ]

Evaluating the quality of actual Windows ACLs is difficult. Why it is possible to undo the define outlined in the description, checking the quality of an ACL depends on understanding the ACEs that make up it and group memberships which is difficult to navigate.

Generated at Thu Feb 08 03:34:20 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.