-
Type: Bug
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: 2.4.10
-
Component/s: Security
-
Minor Change
-
ALL
-
v3.2, v3.0
-
-
27
During a very similar bug report on redis (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832460), lamby@ linked to a code search which hinted a similar bug in mongodb.
I've verified this bug exists in 2.4.10 (current mongodb in debian stable), but I'm not sure about the latest version.
I think the severity for this bug is lower, given that db.auth isn't written to ~/.dbshell, but it might leak sensitive application specific information that might be useful for a local attacker.
I suggest the permissions should be set to the user only (0600) instead of world readable (0644, current permissions).
- is related to
-
SERVER-26489 mongo shell no longer records history of commands
- Closed
-
SERVER-25963 shell should warn user if .dbshell history file is read/writeable by other users
- Closed
- related to
-
SERVER-22992 wait_for_pid() function in shell_utils_launcher.cpp doesn't wait for program output to finish being consumed
- Closed
- links to