[SERVER-14927] Bad bind_ip should fail, not listen on all addresses Created: 16/Aug/14  Updated: 16/Feb/18  Resolved: 24/Sep/14

Status: Closed
Project: Core Server
Component/s: Networking, Security
Affects Version/s: None
Fix Version/s: 2.7.7

Type: Bug Priority: Critical - P2
Reporter: Scott Hernandez (Inactive) Assignee: Amalia Hawkins
Resolution: Done Votes: 0
Labels: bind_ip, commandline, community-team, configuration, error-messages, port
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by SERVER-15656 Improve bind_ip handling of badly for... Closed
Related
related to SERVER-15630 Empty net.bindIp listens to all inter... Closed
related to SERVER-15656 Improve bind_ip handling of badly for... Closed
Tested
Backwards Compatibility: Minor Change
Operating System: ALL
Participants:

 Description   

Starting with a custom bind_ip, which does not resolve should not be permitted.

$ ./mongod ... --bind_ip=foo
...
[initandlisten] options: { net: { bindIp: "foo", http: { RESTInterfaceEnabled: true, enabled: true } },...
[initandlisten] getaddrinfo("foo") failed: nodename nor servname provided, or not known
[initandlisten] waiting for connections on port 27017
[websvr] getaddrinfo("foo") failed: nodename nor servname provided, or not known
[websvr] admin web console waiting for connections on port 28017

As you can see above, even though the bind_ip is specified, the server still listens on all addresses which could be a serious security or ops problem.

$ netstat -na | grep LIST
tcp4       0      0  *.28017                *.*                    LISTEN     
tcp4       0      0  *.27017                *.*                    LISTEN     

If there is any error resolving, or listening on any of the bind_ip (addresses) the server should fail to initialize just like if the port is already used or not allowed to be used for the user/process trying to listen on it.

Here are some examples of similar errors:

// IP specified not valid on the host
[initandlisten] listen(): bind() failed errno:49 Can't assign requested address for socket: 127.1.1.1:27017
[websvr] listen(): bind() failed errno:49 Can't assign requested address for socket: 127.1.1.1:28017
... shutdown
// Protected port specified
[initandlisten] listen(): bind() failed errno:13 Permission denied for socket: 0.0.0.0:80
... shutdown

Having a better, and consistent, error message for all these cases might be nice as well, but first and foremost, the system should be stable and secure.



 Comments   
Comment by Githook User [ 24/Sep/14 ]

Author:

{u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}

Message: SERVER-14927: bad bind_ip should fail, not listen on all sockets
Branch: master
https://github.com/mongodb/mongo/commit/6fd2fe648071c2c55d8977b72e9e92907a933958

Generated at Thu Feb 08 03:36:23 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.