<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 04:58:16 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-41633] Ability to assign audit file permissions based on mongod&apos;s user group (not user)</title>
                <link>https://jira.mongodb.org/browse/SERVER-41633</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;Current audit configuration:&#160;&lt;/p&gt;

&lt;p&gt;&lt;tt&gt;auditLog:&lt;/tt&gt;&#160;&lt;br/&gt;
&#160;&lt;tt&gt;&#160; &#160;destination: file&lt;/tt&gt;&#160;&lt;br/&gt;
&#160;&lt;tt&gt;&#160; &#160;format: JSON&lt;/tt&gt;&#160;&lt;br/&gt;
&#160;&lt;tt&gt;&#160; &#160;path: /data/mongodb/audit/mongo_audit.log&lt;/tt&gt;&#160;&lt;/p&gt;

&lt;p&gt;Files are rotated using SIGUSR1 to the mongod&apos;s PID.&#160;&lt;/p&gt;

&lt;p&gt;When using the audit feature, we want the audit file to have r/w permissions for the mongod group and not only the mongod user itself.&lt;/p&gt;

&lt;p&gt;Nowadays we are using the flag&#160;&#160;&lt;tt&gt;honorSystemUmask:true&#160;&lt;/tt&gt;, but we want to eliminate it for not all the users on the machine will have access to it&lt;/p&gt;</description>
                <environment></environment>
        <key id="796381">SERVER-41633</key>
            <summary>Ability to assign audit file permissions based on mongod&apos;s user group (not user)</summary>
                <type id="2" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14711&amp;avatarType=issuetype">New Feature</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="sara.golemon@mongodb.com">Sara Golemon</assignee>
                                    <reporter username="barak.gilboa@imperva.com">barak gilboa</reporter>
                        <labels>
                    </labels>
                <created>Tue, 11 Jun 2019 12:58:24 +0000</created>
                <updated>Sun, 29 Oct 2023 22:20:07 +0000</updated>
                            <resolved>Fri, 16 Aug 2019 14:59:13 +0000</resolved>
                                                    <fixVersion>4.3.1</fixVersion>
                                    <component>Logging</component>
                                        <votes>0</votes>
                                    <watches>8</watches>
                                                                                                                <comments>
                            <comment id="2375027" author="xgen-internal-githook" created="Fri, 16 Aug 2019 14:53:36 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;username&apos;: &apos;sgolemon&apos;, &apos;email&apos;: &apos;sara.golemon@mongodb.com&apos;, &apos;name&apos;: &apos;Sara Golemon&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-41633&quot; title=&quot;Ability to assign audit file permissions based on mongod&amp;#39;s user group (not user)&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-41633&quot;&gt;&lt;del&gt;SERVER-41633&lt;/del&gt;&lt;/a&gt; Allow overriding system umask for group/other from process startup&lt;/p&gt;

&lt;p&gt;CodeReview: 488750005&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/ea1dd7a54b7b7bcae7f9ad15a547ed0ee3d4348b&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/ea1dd7a54b7b7bcae7f9ad15a547ed0ee3d4348b&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="2348897" author="daniel.hatcher" created="Mon, 29 Jul 2019 20:52:46 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=barak.gilboa%40imperva.com&quot; class=&quot;user-hover&quot; rel=&quot;barak.gilboa@imperva.com&quot;&gt;barak.gilboa@imperva.com&lt;/a&gt;, would you be able to provide your use case?&lt;/p&gt;</comment>
                            <comment id="2296725" author="spencer.jackson@10gen.com" created="Tue, 25 Jun 2019 15:36:26 +0000"  >&lt;p&gt;Our artificial umasks are restrictive in order to provide more secure defaults.&lt;br/&gt;
It sounds like the fundamental issue you are experiencing is related to umask management, and I&apos;m interested in capturing information about your use case. Can you describe why it is not feasible for you to change the umask of the process?&lt;/p&gt;</comment>
                            <comment id="2296581" author="barak.gilboa@imperva.com" created="Tue, 25 Jun 2019 14:38:35 +0000"  >&lt;p&gt;Is it on purpose that you don&apos;t want to give read permission to the mongod group?&lt;br/&gt;
It&apos;s not feasible for us to change the umask of the process.&lt;/p&gt;</comment>
                            <comment id="2294817" author="spencer.jackson@10gen.com" created="Mon, 24 Jun 2019 15:14:24 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=barak.gilboa%40imperva.com&quot; class=&quot;user-hover&quot; rel=&quot;barak.gilboa@imperva.com&quot;&gt;barak.gilboa@imperva.com&lt;/a&gt; I believe it should be possible to obtain the desired behavior by enabling &lt;tt&gt;honorSystemUmask&lt;/tt&gt;, and then configuring a non-default &lt;tt&gt;umask&lt;/tt&gt; for your server process. To obtain your desired set of permissions of &lt;tt&gt;660&lt;/tt&gt; for newly created files, you should be able to set your umask to &lt;tt&gt;117&lt;/tt&gt;.&lt;/p&gt;</comment>
                            <comment id="2294146" author="barak.gilboa@imperva.com" created="Sun, 23 Jun 2019 11:51:46 +0000"  >&lt;p&gt;Hi Jackson.&lt;/p&gt;

&lt;p&gt;As described above, the reason we don&apos;t want to use the&#160;&lt;tt&gt;honorSystemUmask&lt;/tt&gt;&#160; flag is that we don&apos;t want to let all the users on the machine to have permissions to watch this file.&lt;br/&gt;
For that we want the created file to have R/W only for the user it self and its group (660).&lt;/p&gt;

&lt;p&gt;Thanks,&lt;/p&gt;

&lt;p&gt;Barak&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;</comment>
                            <comment id="2288909" author="spencer.jackson@10gen.com" created="Tue, 18 Jun 2019 19:22:43 +0000"  >&lt;p&gt;The behavior you are observing was explicitly implemented to provide secure defaults in &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-11887&quot; title=&quot;Default file permissions on mongod and audit logs&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-11887&quot;&gt;&lt;del&gt;SERVER-11887&lt;/del&gt;&lt;/a&gt; and &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-36977&quot; title=&quot;Initial mongod.log is created using umask vs mode 600&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-36977&quot;&gt;&lt;del&gt;SERVER-36977&lt;/del&gt;&lt;/a&gt;. &lt;tt&gt;honorSystemUmask&lt;/tt&gt; is intended to allow administrators to override the defaults, if need be.&lt;/p&gt;

&lt;p&gt;Unfortunately, I don&apos;t believe that overriding filesystem permissions independently of system umasks is feasible because changing permissions in a platform independent way is difficult, and the APIs used by auditing do not support POSIX permissions at all.&lt;/p&gt;

&lt;p&gt;So that I can better understand your issue, &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=barak.gilboa%40imperva.com&quot; class=&quot;user-hover&quot; rel=&quot;barak.gilboa@imperva.com&quot;&gt;barak.gilboa@imperva.com&lt;/a&gt;, could you explain the issues that you are having with &lt;tt&gt;honorSystemUmask&lt;/tt&gt;?&lt;/p&gt;</comment>
                            <comment id="2280508" author="eric.sedor" created="Tue, 11 Jun 2019 23:02:52 +0000"  >&lt;p&gt;Thanks &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=barak.gilboa%40imperva.com&quot; class=&quot;user-hover&quot; rel=&quot;barak.gilboa@imperva.com&quot;&gt;barak.gilboa@imperva.com&lt;/a&gt;; I am going to send this to an appropriate team for consideration. You can watch this ticket for updates.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10320">
                    <name>Documented</name>
                                                                <inwardlinks description="is documented by">
                                        <issuelink>
            <issuekey id="898339">DOCS-12960</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                            <attachment id="220142" name="Capture.PNG" size="7313" author="barak.gilboa@imperva.com" created="Tue, 11 Jun 2019 12:58:12 +0000"/>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>8.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18555" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname># of Sprints</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>4.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10011" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Backwards Compatibility</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10038"><![CDATA[Fully Compatible]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Tue, 11 Jun 2019 23:02:52 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        4 years, 25 weeks, 5 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_17052" key="com.atlassian.jira.plugin.system.customfieldtypes:textarea">
                        <customfieldname>Downstream Changes Summary</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>This introduces a new setting `processUmask`, the value provided must be in octal format. The bottom six bits will be honored (group/other), while the top three bits will be inherited from the system umask.&lt;br/&gt;
&lt;br/&gt;
This new setting is incompatible with `honorSystemUmask=true` for hopefully obvious reasons. :D</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_17050" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Downstream Team Attention</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="16942"><![CDATA[Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>luke.bonanomi@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            4 years, 25 weeks, 5 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>barak.gilboa@imperva.com</customfieldvalue>
            <customfieldvalue>daniel.hatcher@mongodb.com</customfieldvalue>
            <customfieldvalue>eric.sedor@mongodb.com</customfieldvalue>
            <customfieldvalue>xgen-internal-githook</customfieldvalue>
            <customfieldvalue>sara.golemon@mongodb.com</customfieldvalue>
            <customfieldvalue>spencer.jackson@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hv45t3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hutclj:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="3030">Security 2019-07-01</customfieldvalue>
    <customfieldvalue id="3032">Security 2019-07-15</customfieldvalue>
    <customfieldvalue id="3107">Security 2019-07-29</customfieldvalue>
    <customfieldvalue id="3109">Security 2019-08-26</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_17051" key="com.atlassian.jira.plugin.system.customfieldtypes:multicheckboxes">
                        <customfieldname>Teams Impacted</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="16944"><![CDATA[Docs]]></customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                    <customfieldvalue><![CDATA[eric.sedor@mongodb.com]]></customfieldvalue>
    

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hv3s2f:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>