Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-25335

0002 umask yields world-readable .dbshell history file

    • Minor Change
    • ALL
    • v3.2, v3.0
    • Hide
      rm ~/.dbshell
      echo test | mongo
      ls -la ~/.dbshell
      
      Show
      rm ~/.dbshell echo test | mongo ls -la ~/.dbshell
    • 27

      During a very similar bug report on redis (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832460), lamby@ linked to a code search which hinted a similar bug in mongodb.

      I've verified this bug exists in 2.4.10 (current mongodb in debian stable), but I'm not sure about the latest version.

      I think the severity for this bug is lower, given that db.auth isn't written to ~/.dbshell, but it might leak sensitive application specific information that might be useful for a local attacker.

      I suggest the permissions should be set to the user only (0600) instead of world readable (0644, current permissions).

            Assignee:
            kevin.pulo@mongodb.com Kevin Pulo
            Reporter:
            kpcyrd kpcyrd
            Votes:
            2 Vote for this issue
            Watchers:
            20 Start watching this issue

              Created:
              Updated:
              Resolved: