[SERVER-7583] Different users in same unix group can't run mongod against single db owned by that group Created: 07/Nov/12  Updated: 07/Apr/23  Resolved: 10/Nov/12

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Critical - P2
Reporter: Bobby J Assignee: Akshay Kumar
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
Operating System: ALL
Participants:

 Description   

I'd like to let different users (call them jack & jane) launch mongod using the same dbpath (call it /datadir). Here's what I try:
1) chown all the files in /datadir to jack:mongogroup
2) chmod -R g+rw /datadir
3) useradd jack and jane to mongogroup.

When I launch mongod --dbpath=/datadir as jack, things are fine. But when I try to relaunch mongod as jane, I get errors like this:
Wed Nov 7 00:30:43 [initandlisten] warning couldn't write to / rename file /datadir/journal/prealloc.0: couldn't open file /datadir/journal/prealloc.0 for writing errno:1 Operation not permitted
Wed Nov 7 00:30:43 [initandlisten] couldn't open /datadir/sample.ns errno:1 Operation not permitted

This doesn't seem to be (simply) a permissions issue. If I make a mistake on permissions, I get "errno:13 Permission denied", instead of "errno:1 Operation not permitted". Also, jane can read/write test files in that directory as expected (aside from launching mongod).



 Comments   
Comment by Akshay Kumar [ 12/Nov/12 ]

Robert,

The simplest effective way to do this is to use sudo.

Best,
Akshay

Comment by Bobby J [ 11/Nov/12 ]

Akshay, that does the trick, thanks!

But now, as Jason predicted, jane has to chmod g+rw before jack can use again – which is a problem for us. (Can I tell mongod to open new files with mode 660?)

So stepping back: what is the recommended way to enable multiple (non-root) users to launch mongod in a shared environment?

Comment by Akshay Kumar [ 10/Nov/12 ]

Hi Robert,

You are absolutely correct, it won't work. Here is why:

mongod opens database files using the O_NOATIME flag to the open system call so that we don't update the access time on each read. open with O_NOATIME only works if the effective UID (FSUID on Linux) is 0, matches the owner of the file or the caller is privileged (CAP_FOWNER). O_NOATIME behaves this way for security reasons. Hence the failure.

There are other better ways to do what you are trying to accomplish but if you really want to go this route here is how you do it. Use POSIX Capabilities in Linux.

#setcap cap_fowner+ep /usr/bin/mongod

Best,
Akshay

Comment by J Rassi [ 09/Nov/12 ]

Can you paste the full output of "ls -alR /datadir"?

As a sidenote: before starting MongoDB again as a different user, you need to chmod g+rw all files in the data directory, even if you setgid the directory. Any new files MongoDB opens are created with mode 600; these will be owned by the "wrong" user when you start it again.

Comment by Bobby J [ 08/Nov/12 ]

Pretty sure... jane can read/write test files with the same permissions in the directory, she just can't launch mongod. What could I be missing? Here are the permissions in ./journal

drwxrwsr-x 2 jack mongogroup 4.0K Nov 8 01:01 .
drwxrwsr-x 3 jack mongogroup 4.0K Nov 8 01:00 ..
rw-rw--- 1 jack mongogroup 1.0G Nov 8 00:52 prealloc.0
rw-rw--- 1 jack mongogroup 1.0G Nov 8 00:52 prealloc.1
rw-rw--- 1 jack mongogroup 1.0G Nov 6 16:22 prealloc.2

> grep mongogroup /etc/group
mongogroup:x:1006:jack,jane,mongodb

But error remains same as above.

Comment by Eliot Horowitz (Inactive) [ 08/Nov/12 ]

Are you sure jane has access to journal?
This is almost definitely a permissions issue as we don't do anything with users, its just standard posix calls.

Generated at Thu Feb 08 03:14:58 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.