[SERVER-31928] MongoDB 3.4.2 does not tighten world-readable permissions on pre-existing .dbshell file Created: 12/Nov/17 Updated: 27/Oct/23 Resolved: 29/Nov/17 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 3.4.2 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Bar Ronen | Assignee: | Ramon Fernandez Marina |
| Resolution: | Works as Designed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Operating System: | ALL |
| Participants: |
| Description |
|
After you announced the issue got fixed in In the issue below, you fixed it on on 3.2 version of MongoDB. Please recheck it. Bar |
| Comments |
| Comment by Ramon Fernandez Marina [ 29/Nov/17 ] |
|
barronen1, I can confirm that, when the .dbshell file already exists, newer versions of MongoDB do not update its permissions – it's only when the file doesn't exist that it's created with 600 permissions. The two workarounds mentioned above should help if you need tighter permissions. I've updated the ticket's summary to reflect the scenario you encountered (permissions on a pre-existing file not being updated), and resolving the ticket since:
Regards, |
| Comment by Ramon Fernandez Marina [ 13/Nov/17 ] |
|
I misread the version you're using as 3.2.4 – my apologies. I do believe the change in As Eric points out, you can delete the file; alternatively, you can chmod 600 ~/.dbshell if you need more restrictive permissions for this file. |
| Comment by Eric Milkie [ 13/Nov/17 ] |
|
You could also delete the .dbshell file and it will be recreated the next time you launch the shell, with the new restricted permissions. (You would lose all your command line history if you did that.) |
| Comment by Bar Ronen [ 13/Nov/17 ] |
|
I understand, |
| Comment by Ramon Fernandez Marina [ 12/Nov/17 ] |
|
barronen1, If you'll be upgrading, I'd recommend you move to MongoDB 3.4, which also includes a fix for this issue and will allow you to more easily upgrade to MongoDB 3.6 in the future. Regards, |