Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-31550

Cannot disable secure allocation domains for the shell

    • ALL
    • Hide

      Apply the following patch:

      diff --git a/src/mongo/base/secure_allocator.cpp b/src/mongo/base/secure_allocator.cpp
      index 68f8c19023..827c157ca9 100644
      --- a/src/mongo/base/secure_allocator.cpp
      +++ b/src/mongo/base/secure_allocator.cpp
      @@ -240,8 +240,10 @@ void* systemAllocate(std::size_t bytes) {
               fassertFailed(28831);
           }
      
      -    if (mlock(ptr, bytes) != 0) {
      +    if (true) { // mlock(ptr, bytes) != 0) {
      +        errno = EPERM;
               auto str = errnoWithPrefix("Failed to mlock");
      

      And then run the following test invocation:

      buildscripts/resmoke.py --continueOnFailure --staggerJobs=on --reportFailureStatus=fail --dbpathPrefix=/tmp/db --mongodSetParameters='{disabledSecureAllocatorDomains: "*"}' --mongosSetParameters='{disabledSecureAllocatorDomains: "*"}' jstests/core/auth1.js
      

      The shell will crash with an assertion, since it is still trying to use secure allocation.

      Show
      Apply the following patch: diff --git a/src/mongo/base/secure_allocator.cpp b/src/mongo/base/secure_allocator.cpp index 68f8c19023..827c157ca9 100644 --- a/src/mongo/base/secure_allocator.cpp +++ b/src/mongo/base/secure_allocator.cpp @@ -240,8 +240,10 @@ void* systemAllocate(std::size_t bytes) { fassertFailed(28831); } - if (mlock(ptr, bytes) != 0) { + if (true) { // mlock(ptr, bytes) != 0) { + errno = EPERM; auto str = errnoWithPrefix("Failed to mlock"); And then run the following test invocation: buildscripts/resmoke.py --continueOnFailure --staggerJobs=on --reportFailureStatus=fail --dbpathPrefix=/tmp/db --mongodSetParameters='{disabledSecureAllocatorDomains: "*"}' --mongosSetParameters='{disabledSecureAllocatorDomains: "*"}' jstests/core/auth1.js The shell will crash with an assertion, since it is still trying to use secure allocation.
    • Platforms 2018-02-12, Security 2018-12-17

      We can disable secure allocation when running the servers via the disabledSecureAllocationDomains setParameter. This is useful when running the servers on systems where the user does not have the appropriate capabilities to invoke mlock. However, there is no available mechanism to disable the secure allocator when running the shell, which renders it unusable on such systems.

            Assignee:
            sara.golemon@mongodb.com Sara Golemon
            Reporter:
            andrew.morrow@mongodb.com Andrew Morrow (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: