-
Type: Bug
-
Resolution: Duplicate
-
Priority: Minor - P4
-
None
-
Affects Version/s: 100.2.0
-
Component/s: None
-
Environment:Linux
When you run mongoimport with password then every user on the host can see the password as clear text by using simple `ps` command.
The command-line masks the password, however in process arguments it is shown as clear text:
$ mongoimport --username=syslog-ng --password=secretPassword --authenticationDatabase=admin --db=mip --collection=sessions.raw 2020-11-05T09:33:56.375+0100 connected to: mongodb://localhost/ $ mongoimport --uri=mongodb://syslog-ng:secretPassword@localhost/mip?authSource=admin -c sessions.raw 2020-11-05T09:34:41.244+0100 connected to: mongodb://[**REDACTED**]@localhost/mip?authSource=admin $ ps -fp $(pidof -sx mongoimport) UID PID PPID C STIME TTY TIME CMD mediati+ 13301 13168 0 09:27 pts/1 00:00:00 mongoimport --username=syslog-ng --password=secretPassword --authenticationDatabase=admin --db=mip --collection=sessions.raw UID PID PPID C STIME TTY TIME CMD mediati+ 56595 56547 0 Nov04 ? 00:05:06 mongoimport --uri=mongodb://syslog-ng:secretPassword@localhost/mip?authSource=admin -c sessions.raw
For comparison have a look at `mongo` shell, there the password is hidden as it should be:
$ mongo --username=syslog-ng --password=secretPassword --authenticationDatabase=admin mip $ mongo mongodb://syslog-ng:secretPassword@localhost/mip?authSource=admin $ ps -fp $(pidof -sx mongo) UID PID PPID C STIME TTY TIME CMD mediati+ 13434 13168 0 09:28 pts/1 00:00:00 mongo --username=syslog-ng --password=xxxxxxxx --authenticationDatabase=admin mip UID PID PPID C STIME TTY TIME CMD mediati+ 23607 13168 1 09:37 pts/1 00:00:00 mongo mongodb://syslog-ng@localhost/mip
Any plans to get rid of this security flaw?
Kind Regards
Wernfried
- duplicates
-
TOOLS-2447 Improve processlist output
- Development Complete