-
Type: New Feature
-
Resolution: Won't Fix
-
Priority: Major - P3
-
None
-
Affects Version/s: 2.6.3, 2.7.5
-
Component/s: Security
-
None
It should be possible to configure processes like mongod and mongos, which sometimes need to read sensitive files like PEM and key files, to change the user they're running as after reading those files. If it is intended that mongod/mongos be able to run on privileged ports then binding to those ports should also happen before changing user.
The use case would be to allow sensitive files to be owned by root, start these processes as root, but then have them quickly change to running as an unprivileged user (e.g. mongodb) after reading the sensitive files or performing other privileged operations. Of particular interest would be the following files configurable through the command-line:
- keyFile
- sslPEMKeyFile
- sslClusterFile
We can't protect against in-memory access, but we can still up the bar and make grabbing the secrets require the more sophisticated skill of accessing and decoding RAM rather than just using cat the key for cracking offline. Increasing security by requiring different skillsets to pull off an attack can be an effective technique. For example, the guy who knows how to exploit V8 and JavaScript would likely find it easy to then issue shell commands and use an offline cracking tool, but is less likely to know how to access and then decode RAM.
NOTE: I know of no V8/JavaScript exploit; I'm just using it as a plausible example of an attack that you might imagine someone pulling off who doesn't know how to or wouldn't think to try to read the data from RAM.