[SERVER-7902] mongo shell should read /etc/mongorc.js at startup before $HOME/.mongorc.js Created: 11/Dec/12 Updated: 16/Nov/21 Resolved: 07/May/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Admin, Security, Shell |
| Affects Version/s: | 2.2.0 |
| Fix Version/s: | 2.5.0 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Simon Harvey | Assignee: | Andreas Nilsson |
| Resolution: | Done | Votes: | 1 |
| Labels: | neweng | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
RHEL 6 |
||
| Issue Links: |
|
||||||||
| Participants: | |||||||||
| Description |
|
Our security requirements stipulate that banner text should be displayed at all points of access to critical systems to advise that unauthorised access is not allowed. This should be supported by the mongo shell which should allow a MongoDB administator to specify a text file which will be shown as banner text every time someone uses the mongo shell - e.g. via a /etc/mongo file in a similar way to the /etc/motd file. |
| Comments |
| Comment by auto [ 07/May/13 ] |
|
Author: {u'date': u'2013-05-07T10:12:38Z', u'name': u'Tad Marshall', u'email': u'tad@10gen.com'}Message: |
| Comment by auto [ 06/May/13 ] |
|
Author: {u'date': u'2013-04-30T16:04:06Z', u'name': u'agralius', u'email': u'andreas.nilsson@10gen.com'}Message: The corresponding Windows path is |
| Comment by Johan Hedin [ 01/May/13 ] |
|
I'll vote for this one as well, it's a usable feature. @Eric:s suggestion above sounds good to me. But let the name of the file that mongo should look after in /etc be mongorc.js (without the leading dot). Hidden files in /etc is confusing. |
| Comment by Simon Harvey [ 18/Apr/13 ] |
|
Eric - from my perspective I don't care about Windows. |
| Comment by Eric Milkie [ 18/Apr/13 ] |
|
We can make the shell always execute a file named "/etc/mongorc.js" if it exists. |
| Comment by Simon Harvey [ 18/Apr/13 ] |
|
The first option sounds fine, i.e. the mongo shell always running a file in /etc if it exists; we could put the banner text there and it would be protected and in one place on the server. It should not be possible for the user to avoid getting this banner if they connect via the mongo shell, although I appreciate there are numerous other ways they could connect to MongoDB and avoid it. |
| Comment by Matt Kalan [ 04/Apr/13 ] |
|
Simon, do you think it would be fine to make the shell look for a .mongorc.js in /etc/ and execute it automatically? Or would it work to symlink .mongorc.js in everyone's home directory to a common protected file somewhere? |
| Comment by Simon Harvey [ 02/Apr/13 ] |
|
Eric, I understand there would be ways of circumventing this, but all we are looking for is to have the mongo shell output the contents of a file such as /etc/mongo_banner (if it exists) when the shell command is invoked. Regards, Simon. |
| Comment by Eric Milkie [ 02/Apr/13 ] |
|
The mongo shell connects just like every other client driver; we can't send it a message to display from the server without major work. Also, you could just write your own mongo shell using the C++ driver and it wouldn't display the message, so the message would still not be unavoidable. |
| Comment by Matt Kalan [ 02/Apr/13 ] |
|
Yeah it needs to be definite that it always appears so a user can't avoid it. It sounds like best to configure on the server text that is sent to a Mongo shell client on connection. |
| Comment by Eric Milkie [ 02/Apr/13 ] |
|
Can using a .mongorc file satisfy this requirement? You can print the message using Javascript in that file. You can still avoid running the file with a command-line parameter to the shell, however. |