[SERVER-31901] Empty paths in config file should not be treated as relative path Created: 10/Nov/17  Updated: 06/Dec/22

Status: Backlog
Project: Core Server
Component/s: Internal Code
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Kevin Pulo Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: former-quick-wins
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Backwards Compatibility: Fully Compatible
Sprint: Service arch 2020-10-05
Participants:
Case:

 Description   

Some config options specify the path to a file. Some of these treat an empty value as a relative path, which causes the option value to be the current working directory. This is normally not useful or intentional, and is likely to result in a cryptic error message later when the code attempts to use (what it expects to be) a file. Instead, the empty option value should be detected directly, and a straightforward error message returned.

For example, if the config file inadvertently contains:

...
security:
    keyFile:
...

Then this can result in the following misleading error message(s):

$ mongod --config test.conf
2017-11-10T14:16:12.547+1100 I ACCESS   [main] permissions on /home/kev are too open
$ mkdir test
$ cd test
$ chmod 700 .
$ mongod --config ~/test.conf
2017-11-10T14:16:16.846+1100 I ACCESS   [main] error reading file: /home/kev/test

These error messages are not particularly useful in figuring out that the problem is that security.keyFile is empty.

The same is true with the command-line options:

$ mongod --keyFile ""
2017-11-10T14:17:26.763+1100 I ACCESS   [main] permissions on /home/kev are too open
$ cd test
$ mongod --keyFile ""
2017-11-10T14:17:31.047+1100 I ACCESS   [main] error reading file: /home/kev/test

The problem is that if keyFile has been set, then even if the value is an empty string, it still gets passed to boost::filesystem::absolute:

    if (params.count("security.keyFile")) {
        serverGlobalParams.keyFile =
            boost::filesystem::absolute(params["security.keyFile"].as<string>()).generic_string();
        serverGlobalParams.authState = ServerGlobalParams::AuthState::kEnabled;
    }

The value needs to be checked, and the user informed directly that an empty value is invalid, eg:

    if (params.count("security.keyFile")) {
        auto keyFile = params["security.keyFile"].as<string>();
        if (keyFile.empty()) {
            return Status(ErrorCodes::BadValue, "--keyFile cannot be empty");
        }
        serverGlobalParams.keyFile = boost::filesystem::absolute(keyFile).generic_string();
        serverGlobalParams.authState = ServerGlobalParams::AuthState::kEnabled;
    }

Other similarly affected config options:



 Comments   
Comment by Gabriel Russell (Inactive) [ 03/Nov/20 ]

As per my conversation with sara.golemon, I'm bouncing this to the security team. Feel free to bounce this back, either whole or with an either narrower or broader scope.

Generated at Thu Feb 08 04:28:32 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.