[SERVER-67261] Keyfile mode 640 should pass permission check Created: 14/Jun/22 Updated: 15/Jun/22 Resolved: 15/Jun/22 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Lauri Võsandi | Assignee: | Chris Kelly |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Operating System: | ALL |
| Steps To Reproduce: | Set file owner to root and group to the group of mongo user. Set file mode to 640. |
| Participants: |
| Description |
|
Keyfile owned by root:mongo with filesystem mode 640 should really pass the permissions check described here: https://github.com/mongodb/mongo/blob/5bbadc66ed462aed3cc4f5635c5003da6171c25d/src/mongo/db/auth/security_file.cpp#L80 |
| Comments |
| Comment by Chris Kelly [ 15/Jun/22 ] |
|
Hi Lauri, Thanks for your report. Currently, I'd say this isn't an oversight since this is common practice for ssh private keys. The current permission requirements for MongoDB keyfiles are documented here. However, I can see how this restriction can complicate administration in some cases where you rely on group membership. To get your suggestion on the radar, go ahead and request this change at feedback.mongodb.com. We're starting to direct new feature requests and improvements to that channel and preferring this JIRA project for bug reports specifically. You may also want to search and post on the MongoDB Developer Community Forums, as it's possible there are others who have guidance on how to satisfy your use-case. I also found a workaround someone used for something with Git that looks potentially helpful for you here. Regards, |