[SERVER-67261] Keyfile mode 640 should pass permission check Created: 14/Jun/22  Updated: 15/Jun/22  Resolved: 15/Jun/22

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Lauri Võsandi Assignee: Chris Kelly
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Steps To Reproduce:

Set file owner to root and group to the group of mongo user.

Set file mode to 640.

Participants:

 Description   

Keyfile owned by root:mongo with filesystem mode 640 should really pass the permissions check described here: https://github.com/mongodb/mongo/blob/5bbadc66ed462aed3cc4f5635c5003da6171c25d/src/mongo/db/auth/security_file.cpp#L80



 Comments   
Comment by Chris Kelly [ 15/Jun/22 ]

Hi Lauri,

Thanks for your report. Currently, I'd say this isn't an oversight since this is common practice for ssh private keys. The current permission requirements for MongoDB keyfiles are documented here. However, I can see how this restriction can complicate administration in some cases where you rely on group membership.

To get your suggestion on the radar, go ahead and request this change at feedback.mongodb.com. We're starting to direct new feature requests and improvements to that channel and preferring this JIRA project for bug reports specifically.

You may also want to search and post on the MongoDB Developer Community Forums, as it's possible there are others who have guidance on how to satisfy your use-case. I also found a workaround someone used for something with Git that looks potentially helpful for you here.

Regards,
Christopher

Generated at Thu Feb 08 06:07:41 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.