[SERVER-52537] Mongostat,mongotop and other similar mongo commands are showing password in plain text on linux ps commands Created: 21/Oct/20  Updated: 06/Nov/20  Resolved: 05/Nov/20

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Azhar Yousuf Assignee: Eric Sedor
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates TOOLS-2447 Improve processlist output Closed
Participants:

 Description   

Hi Team,

    We are running a few mongo commands using script and during those commands execution the passwords provided in -p option is coming with plain text when checked using ps commands on linux, where ps command is used to list the background processes running on linux systems. If I am not wrong, when mongo commands are checked on ps the -p parameter should sensor the passwords as xxxx. But however in our case it is not working for mongostat,mongotop and few other mongo commands and they are as follows

 

$ ps -ef | grep mongostat

----------------------------
myuser 19499 16437 10 06:10 ? 00:00:00 /usr/bin/mongostat --quiet -u readonly -p mypassword@123 --authenticationDatabase admin -o host,insert,query,update,delete,set,repl -h ......... n 1

 

$ ps -ef | grep mongotop

------------------------------

myuser 7232 7108 1 06:13 ? 00:00:00 /usr/bin/mongotop --quiet -u readonly -p mypassword@123 --authenticationDatabase admin -h host:27720 -n 1

$ while true; do ps -ef | grep mongo | grep authenticationDatabase | grep -v mongostat | grep -v mongotop;done
---------------------------------------
root 19213 19202 0 06:15 ? 00:00:00 /usr/bin/mongo --ipv6 --quiet -u readonly -p mypassword@123 --authenticationDatabase admin --port 27717 --eval rs.status()

Mongo version used on our environment

[root@vm01 ~]# mongo --version
MongoDB shell version v3.6.17
git version: 3d6953c361213c5bfab23e51ab274ce592edafe6
OpenSSL version: OpenSSL 1.1.1c FIPS 28 May 2019
allocator: tcmalloc
modules: none
build environment:
distmod: rhel80
distarch: x86_64
target_arch: x86_64

 

[root@vm01~]# rpm -qa | grep mongo
mongodb-org-mongos-3.6.17-1.el8.x86_64
mongodb-org-tools-3.6.17-1.el8.x86_64
mongodb-org-3.6.17-1.el8.x86_64
mongodb-org-shell-3.6.17-1.el8.x86_64
mongodb-org-server-3.6.17-1.el8.x86_64

kindly help us in hiding the information on ps commands given the fact mongo already has an option to hide these values

 

Thanks and Regards,

Azhar

Kindly help us on how to avoid hiding the passowrds in ps given the fact it is already available in mongo



 Comments   
Comment by Azhar Yousuf [ 06/Nov/20 ]

Hi Eric,thanks for your response. Yes, I will follow the ticket and hopefully its getting fixed in the next release
Currently I am using the following format for hiding the password and it is working fine

password="mypassword"
mongostat="eval echo $password | /usr/bin/mongo --ipv6 --quiet -u readonly --authenticationDatabase admin"
$mongostat

I can use this $mongostat variable anywhere and it is working and in the ps output I dont see -P option or password being echoed. So for now will stick with this

myuser 9670 1866 4 05:07 ? 00:00:00 /usr/bin/mongostat --quiet -u readonly --authenticationDatabase admin -o host,insert,query,update,delete,set,repl -h vm01:27717 -n 1

Comment by Eric Sedor [ 05/Nov/20 ]

Hi rizwiazhar@gmail.com, this is work we want to do and it is being tracked in TOOLS-2447. Can you please watch that ticket for updates? There is also a workaround suggestion there for passing the password from a file.

Comment by Massimiliano Marcon [ 02/Nov/20 ]

Moved this to the SERVER project (was initially opened in the MONGOSH project).

$mongosh already hides the command line arguments to prevent this issue.

Generated at Thu Feb 08 05:28:19 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.