When using the following:
$ mongo --host 127.0.0.1 --user admin --password superSecret12345
$ ps auxww | grep mongo
$ mongo mongodb://admin:superSecret12345@127.0.0.1/
$ ps auxww | grep mongo
You see that --password value has been masked with "x" characters, so you don't easily expose the password to others. However, when connecting using the mongodb:// connection string, which is still waiting to be documented ( DOCS-9033 ) , the password is not masked.
In the mongodb:// method as well, the password is also leaked into the stdout of the cli when it displays "connecting to: mongodb://admin:superSecret12345@127.0.0.1/"
I believe these should be masked in the same way, so the password is never displayed in the running process cmdline or in the stdout line displayed saying it is connecting.
- is related to
-
TOOLS-1782 Mask password from being displayed in process list
- Closed
- related to
-
SERVER-36744 Command-line redaction in the shell misses some common cases
- Closed