<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 03:36:50 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-15068] Processes that read sensitive files should be able to change user after reading/opening said files</title>
                <link>https://jira.mongodb.org/browse/SERVER-15068</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;It should be possible to configure processes like mongod and mongos, which sometimes need to read sensitive files like PEM and key files, to change the user they&apos;re running as after reading those files. If it is intended that mongod/mongos be able to run on privileged ports then binding to those ports should also happen before changing user.&lt;/p&gt;

&lt;p&gt;The use case would be to allow sensitive files to be owned by root, start these processes as root, but then have them quickly change to running as an unprivileged user (e.g. mongodb) after reading the sensitive files or performing other privileged operations. Of particular interest would be the following files configurable through the command-line:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;keyFile&lt;/li&gt;
	&lt;li&gt;sslPEMKeyFile&lt;/li&gt;
	&lt;li&gt;sslClusterFile&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;We can&apos;t protect against in-memory access, but we can still up the bar and make grabbing the secrets require the more sophisticated skill of accessing and decoding RAM rather than just using cat the key for cracking offline. Increasing security by requiring different skillsets to pull off an attack can be an effective technique. For example, the guy who knows how to exploit V8 and JavaScript would likely find it easy to then issue shell commands and use an offline cracking tool, but is less likely to know how to access and then decode RAM.&lt;br/&gt;
&lt;em&gt;NOTE: I know of no V8/JavaScript exploit; I&apos;m just using it as a plausible example of an attack that you might imagine someone pulling off who doesn&apos;t know how to or wouldn&apos;t think to try to read the data from RAM.&lt;/em&gt;&lt;/p&gt;</description>
                <environment></environment>
        <key id="155233">SERVER-15068</key>
            <summary>Processes that read sensitive files should be able to change user after reading/opening said files</summary>
                <type id="2" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14711&amp;avatarType=issuetype">New Feature</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="2">Won&apos;t Fix</resolution>
                                        <assignee username="andreas.nilsson">Andreas Nilsson</assignee>
                                    <reporter username="andrew.ryder@mongodb.com">Andrew Ryder</reporter>
                        <labels>
                    </labels>
                <created>Thu, 28 Aug 2014 04:04:18 +0000</created>
                <updated>Fri, 21 Aug 2015 12:01:57 +0000</updated>
                            <resolved>Wed, 19 Aug 2015 23:18:57 +0000</resolved>
                                    <version>2.6.3</version>
                    <version>2.7.5</version>
                                                    <component>Security</component>
                                        <votes>6</votes>
                                    <watches>9</watches>
                                                                                                                <comments>
                            <comment id="1010741" author="tim.olsen@10gen.com" created="Thu, 20 Aug 2015 14:50:55 +0000"  >&lt;p&gt;The automation agent will use the cluster auth PEM file (passed via --sslClusterFile) for authenticating to mongod and mongos processes when cluster auth is being used.  It currently does not use the PEM file passed via --sslPEMKeyFile (and there are no plans to do so).&lt;/p&gt;</comment>
                            <comment id="1010243" author="ramon.fernandez" created="Wed, 19 Aug 2015 23:18:41 +0000"  >&lt;p&gt;I just realized that to implement this feature as described the following condition must hold: sensitive files must be read by &lt;tt&gt;mongod&lt;/tt&gt;/&lt;tt&gt;mongos&lt;/tt&gt; only at startup, and never during normal operation. It seems that &lt;tt&gt;mongod&lt;/tt&gt; does satisfy this condition, but this requirement may not have been part of the original design so I can&apos;t assert that this behavior is intended. Same thing for &lt;tt&gt;mongos&lt;/tt&gt;.&lt;/p&gt;

&lt;p&gt;Let&apos;s suppose for a moment that this condition is true, and these files are only read at startup. In this case a potential workaround would be to make these sensitive files available to &lt;tt&gt;mongod&lt;/tt&gt;/&lt;tt&gt;mongos&lt;/tt&gt; before startup via init scripts run with elevated privileges. After startup, these files can be made unavailable again (e.g.: via &lt;tt&gt;chmod&lt;/tt&gt;) &amp;#8211; this should address the security concerns raised in this ticket&apos;s description.&lt;/p&gt;

&lt;p&gt;It&apos;s worth noting that the &lt;a href=&quot;https://docs.cloud.mongodb.com/tutorial/nav/automation-agent/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;Automation Agent&lt;/a&gt; may need access to some of these files as well to authenticate to clusters, so either implementing the feature requested in this ticket or the workaround described above would need to take into account the Agent as well.&lt;/p&gt;

&lt;p&gt;Regards,&lt;br/&gt;
Ram&#243;n.&lt;/p&gt;</comment>
                            <comment id="1010163" author="ramon.fernandez" created="Wed, 19 Aug 2015 22:04:08 +0000"  >&lt;p&gt;Apologies for the long delay in following up here. This request requires &lt;tt&gt;mongod&lt;/tt&gt; and &lt;tt&gt;mongos&lt;/tt&gt; to be able to run with superuser privileges for the sole purpose of accessing specific files and running on privileged ports. This adds a lot of complexity and may open the door to security-related problems (as sendmail&apos;s history can show).&lt;/p&gt;

&lt;p&gt;In the case of sensitive files, they can be owned by the &lt;tt&gt;mongod&lt;/tt&gt; user and secured with the right permissions. That leaves the case of running on a privileged port, which we don&apos;t believe is a compelling use case.&lt;/p&gt;

&lt;p&gt;I&apos;m therefore going to close this ticket. If a strong case is put forth to add this functionality we can always re-open this ticket and discuss options.&lt;/p&gt;

&lt;p&gt;Regards,&lt;br/&gt;
Ram&#243;n.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                                                <inwardlinks description="is related to">
                                                        </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>3.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Thu, 28 Aug 2014 14:25:24 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        8 years, 25 weeks, 6 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>ramon.fernandez@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            8 years, 25 weeks, 6 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>andreas.nilsson</customfieldvalue>
            <customfieldvalue>andrew.ryder@mongodb.com</customfieldvalue>
            <customfieldvalue>ramon.fernandez@mongodb.com</customfieldvalue>
            <customfieldvalue>tim.olsen@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrlozb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hs1rf3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>134894</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hsgowv:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>