[SERVER-39947] mongod/mongos socket should be world-accessible if server is listening on a TCP port Created: 04/Mar/19  Updated: 27/Oct/23  Resolved: 26/Mar/19

Status: Closed
Project: Core Server
Component/s: Networking
Affects Version/s: 4.1.8
Fix Version/s: None

Type: Improvement Priority: Minor - P4
Reporter: Oleg Pudeyev (Inactive) Assignee: Jonathan Reams
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Sprint: Security 2019-03-25, Security 2019-04-08
Participants:

 Description   

By default, mongod/mongos creates its socket with 0700 permissions:

speed% ls -l /tmp/mongodb-27017.sock
srwx------ 1 sandbox sandbox 0 Mar  4 13:13 /tmp/mongodb-27017.sock

This means in order to use the server via the socket, if the server is running as its own user, one has to adjust socket permissions.

The restrictive socket permissions add no security if mongod/mongos is also listening on a TCP port, as any local user is able to connect to the server via TCP. Therefore if the server is listening on a TCP port, it should create the socket with 0666 permissions.

I imagine an administrator can configure a local firewall to deny local access to TCP ports, but this is a very uncommon situation and someone doing something like this would surely not only audit socket permissions, but also configure mongod to put its sockets into directories which are not world-accessible as an additional layer of security.



 Comments   
Comment by Jonathan Reams [ 26/Mar/19 ]

Since mongod listens on an tcp port by default - in fact it's not easy to make mongod not listen on a tcp port - this request is, in effect, to change the default permissions back to being more permissive. Because strengthening our default permissions was requested externally, and has resulted in documentation changes, I don't think we should change it back. We have an easy configuration option to set the permissions of the socket to whatever a user needs and the most common deployment of mongod is to listen on TCP, so I think it makes sense to have the unix socket be more restrictive by default.

Comment by Oleg Pudeyev (Inactive) [ 04/Mar/19 ]

Docs to adjust permissions: https://docs.mongodb.com/manual/reference/configuration-options/index.html#net.unixDomainSocket.filePermissions

Given that the filePermissions setting exists, I would say a reasonable default for it would be 0666 if mongod/mongos is listening on a TCP socket, and 0600 otherwise. To my knowledge there is no reason to have execute bit set on sockets.

Comment by Danny Hatcher (Inactive) [ 04/Mar/19 ]

In SERVER-13022 this was changed from a default of 0777 to be 0700. As that is an old ticket, do we have any interest in re-evaluating that setting?

Generated at Thu Feb 08 04:53:35 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.