[SERVER-31928] MongoDB 3.4.2 does not tighten world-readable permissions on pre-existing .dbshell file Created: 12/Nov/17  Updated: 27/Oct/23  Resolved: 29/Nov/17

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.4.2
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Bar Ronen Assignee: Ramon Fernandez Marina
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Participants:

 Description   

After you announced the issue got fixed in SERVER-25335 issue (https://jira.mongodb.org/browse/SERVER-25335), I found the world-readable permissions problem to the .dbshell file still exists in MongoDB 3.4.2, which i have in my network.

In the issue below, you fixed it on on 3.2 version of MongoDB. Please recheck it.

Bar



 Comments   
Comment by Ramon Fernandez Marina [ 29/Nov/17 ]

barronen1, I can confirm that, when the .dbshell file already exists, newer versions of MongoDB do not update its permissions – it's only when the file doesn't exist that it's created with 600 permissions. The two workarounds mentioned above should help if you need tighter permissions.

I've updated the ticket's summary to reflect the scenario you encountered (permissions on a pre-existing file not being updated), and resolving the ticket since:

  • this is the minimally-intrusive behavior designed in SERVER-25335
  • there are two simple workarounds for users needing tighter permissions

Regards,
Ramón.

Comment by Ramon Fernandez Marina [ 13/Nov/17 ]

I misread the version you're using as 3.2.4 – my apologies.

I do believe the change in SERVER-25335 only sets more restrictive permissions when creating the file, but if the file exists already it will not change permissions to 600 – I'll check, but if that's the case then this is expected behavior.

As Eric points out, you can delete the file; alternatively, you can chmod 600 ~/.dbshell if you need more restrictive permissions for this file.

Comment by Eric Milkie [ 13/Nov/17 ]

You could also delete the .dbshell file and it will be recreated the next time you launch the shell, with the new restricted permissions. (You would lose all your command line history if you did that.)

Comment by Bar Ronen [ 13/Nov/17 ]

I understand,
so if I had MongoDB version earlier than 3.2.14 (before the fix), and then upgraded to 3.4.2, Maybe the .dbshell file permissions stayed the same because of the upgrade, and only re-installing the system will apply the fix?

Comment by Ramon Fernandez Marina [ 12/Nov/17 ]

barronen1, SERVER-25335 got fixed in 3.2.14 – if you're using 3.2.4 the behavior you describe is expected, and you need to upgrade to 3.2.14.

If you'll be upgrading, I'd recommend you move to MongoDB 3.4, which also includes a fix for this issue and will allow you to more easily upgrade to MongoDB 3.6 in the future.

Regards,
Ramón.

Generated at Thu Feb 08 04:28:37 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.