[SERVER-31550] Cannot disable secure allocation domains for the shell Created: 13/Oct/17 Updated: 08/Jan/24 Resolved: 06/Dec/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security, Shell |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Andrew Morrow (Inactive) | Assignee: | Sara Golemon |
| Resolution: | Duplicate | Votes: | 1 |
| Labels: | platforms_security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
|||||||||||||
| Operating System: | ALL | |||||||||||||
| Steps To Reproduce: | Apply the following patch:
And then run the following test invocation:
The shell will crash with an assertion, since it is still trying to use secure allocation. |
|||||||||||||
| Sprint: | Platforms 2018-02-12, Security 2018-12-17 | |||||||||||||
| Participants: | ||||||||||||||
| Description |
|
We can disable secure allocation when running the servers via the disabledSecureAllocationDomains setParameter. This is useful when running the servers on systems where the user does not have the appropriate capabilities to invoke mlock. However, there is no available mechanism to disable the secure allocator when running the shell, which renders it unusable on such systems. |
| Comments |
| Comment by Sara Golemon [ 06/Dec/18 ] | |||||||||||||||||||||||||||||||||
|
Somehow this got turned into a new ticket when we did the fix back in August. At the moment only that set parameter works on the shell. We plan to revisit enabling other set parameters over time, but baby steps... | |||||||||||||||||||||||||||||||||
| Comment by Gregory McKeon (Inactive) [ 23/Jul/18 ] | |||||||||||||||||||||||||||||||||
|
adam.cooper sync up with spencer.jackson before working on this more. | |||||||||||||||||||||||||||||||||
| Comment by Michal Booth-Wrotkowski [X] [ 08/Feb/18 ] | |||||||||||||||||||||||||||||||||
|
That works! Thank you | |||||||||||||||||||||||||||||||||
| Comment by Spencer Jackson [ 08/Feb/18 ] | |||||||||||||||||||||||||||||||||
|
Hi Booth-Wrotkowski, disabledSecureAllocatorDomains doesn't take '1' as an argument. Can you try running your mongod with --setParameter=disabledSecureAllocatorDomains=*, possibly with escaping for the '*'? | |||||||||||||||||||||||||||||||||
| Comment by Michal Booth-Wrotkowski [X] [ 07/Feb/18 ] | |||||||||||||||||||||||||||||||||
|
Andrew Morrow unfortunately it doesn't work for me. I'm using MongoDB 3.6.2 built from ports within jail on FreeBSD 11.1
Also when i check if disabledSecureAllocatorDomains is set correct by:
returns me:
But when I'm for example creating user with command
Mongo is crashing with error log:
Is it something I missed or made wrong? | |||||||||||||||||||||||||||||||||
| Comment by Andrew Morrow (Inactive) [ 17/Oct/17 ] | |||||||||||||||||||||||||||||||||
|
weishan - Correct, you will not be able to opt out of secure allocation for the mongodb servers mongod and mongos with the disabledSecureAllocatorDomains facility unless you are running MongoDB 3.6 or newer. If we fix this bug, which is about the lack of support for that feature in the shell, for 3.6 GA, then the same would hold true for the shell. However, the shell is an interactive user program, so jailing it doesn't seem as important. You could certainly run the servers within a jail so that untrusted connections that managed to gain control over server execution were still contained in the jail, but run the shell to connect to the server for administrative tasks from outside the jail, where memory locking would be available. If we don't get this fixed for 3.6 GA (as is likely), we will fix it in the 3.7 development cycle, and then consider backporting it to 3.6.small. Longer term though, it would seem desirable for FreeBSD to offer support for memory locking within jails. | |||||||||||||||||||||||||||||||||
| Comment by Wei Shan Ang [ 16/Oct/17 ] | |||||||||||||||||||||||||||||||||
|
Hi Andrew, For people running mongod in a less privileged environment like FreeBSD jails, it is not possible to mlock inside the jail itself. As such, both mongod and mongo shell will not be able to disable this behaviour until MongoDB 3.6? | |||||||||||||||||||||||||||||||||
| Comment by Andrew Morrow (Inactive) [ 16/Oct/17 ] | |||||||||||||||||||||||||||||||||
|
Hi weishan - No, the disabledSecureAllocatorDomains feature is new on the master branch and will ship with MongoDB 3.6. We do not currently plan to backport this work because it is not a bugfix, and because there are workarounds for older branches (either configuring the system limits to allow more secure memory, or granting the user running the shell/server the required capabilities). | |||||||||||||||||||||||||||||||||
| Comment by Wei Shan Ang [ 16/Oct/17 ] | |||||||||||||||||||||||||||||||||
|
Is this setParameter available in 3.2.17 yet? mongod --setParameter=disabledSecureAllocatorDomains=1 --config /usr/local/etc/mongodb.conf.ws Based on the output of db.runCommand( {setParameter:1,help:true}).help on 3.2.17, it is not yet available. Thanks! |