Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-2768

mongoimport shows clear password in ps

    • Type: Icon: Bug Bug
    • Resolution: Duplicate
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: 100.2.0
    • Component/s: None
    • Environment:
      Linux

      When you run mongoimport with password then every user on the host can see the password as clear text by using simple `ps` command.

      The command-line masks the password, however in process arguments it is shown as clear text:

       

      $ mongoimport --username=syslog-ng --password=secretPassword --authenticationDatabase=admin --db=mip --collection=sessions.raw 
      2020-11-05T09:33:56.375+0100    connected to: mongodb://localhost/
      
      $ mongoimport --uri=mongodb://syslog-ng:secretPassword@localhost/mip?authSource=admin -c sessions.raw
      2020-11-05T09:34:41.244+0100    connected to: mongodb://[**REDACTED**]@localhost/mip?authSource=admin
      
      
      $ ps -fp $(pidof -sx mongoimport)
      
      UID        PID  PPID  C STIME TTY          TIME CMD
      mediati+ 13301 13168  0 09:27 pts/1    00:00:00     mongoimport --username=syslog-ng --password=secretPassword --authenticationDatabase=admin --db=mip --collection=sessions.raw
      
      UID        PID  PPID  C STIME TTY          TIME CMD
      mediati+ 56595 56547  0 Nov04 ?        00:05:06     mongoimport --uri=mongodb://syslog-ng:secretPassword@localhost/mip?authSource=admin -c sessions.raw
      
      

      For comparison have a look at `mongo` shell, there the password is hidden as it should be:

      $ mongo --username=syslog-ng --password=secretPassword --authenticationDatabase=admin mip
      $ mongo mongodb://syslog-ng:secretPassword@localhost/mip?authSource=admin 
      
      $ ps -fp $(pidof -sx mongo)
      
      UID        PID  PPID  C STIME TTY          TIME CMD
      mediati+ 13434 13168  0 09:28 pts/1    00:00:00     mongo --username=syslog-ng --password=xxxxxxxx --authenticationDatabase=admin mip
      
      UID        PID  PPID  C STIME TTY          TIME CMD
      mediati+ 23607 13168  1 09:37 pts/1    00:00:00     mongo mongodb://syslog-ng@localhost/mip
      
      
      

       

      Any plans to get rid of this security flaw?

       

      Kind Regards
      Wernfried

       

            Assignee:
            Unassigned Unassigned
            Reporter:
            wernfried.domscheit@sunrise.net Wernfried Domscheit
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: