A customer security scan (OpenSCAP) is flagging an issue with the way we install database-tools, which are now installed in /usr/bin but owned by mongod:mongod (this is on a RHEL 8.5 system). This is at odds with the security-issued guidance that all files in this directory should be owned by root:root. Our setup is certainly anomalous - out of hundreds of files in this location, only the MDB tools are owned by a non-root user. And after a little bit of investigation, I determined also that we used to install tools as root:root, prior to separating out the tools from the core server in 4.4.

Was this change done deliberately? If so, what security-focused rationale can I provide the customer? Alternatively, should we consider reverting back to the more conventional approach?

Here is the relevant guidance published in the RHEL8 STIG (Security Technical Implementation Guide):

https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2021-12-03/finding/V-230259

https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2021-12-03/finding/V-230258

RPM building code starts at https://github.com/mongodb/mongo-tools/blob/c714431e657660968a5fd0eedebd0876fae2576e/release/release.go#L312