Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-3071

Tools installed by RPM packages to /usr/bin are owned by mongod:mongod instead of root:root

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Minor - P4 Minor - P4
    • 100.5.3
    • Affects Version/s: None
    • Component/s: None
    • None

      A customer security scan (OpenSCAP) is flagging an issue with the way we install database-tools, which are now installed in /usr/bin but owned by mongod:mongod (this is on a RHEL 8.5 system). This is at odds with the security-issued guidance that all files in this directory should be owned by root:root. Our setup is certainly anomalous - out of hundreds of files in this location, only the MDB tools are owned by a non-root user. And after a little bit of investigation, I determined also that we used to install tools as root:root, prior to separating out the tools from the core server in 4.4.

      Was this change done deliberately? If so, what security-focused rationale can I provide the customer? Alternatively, should we consider reverting back to the more conventional approach?

      Here is the relevant guidance published in the RHEL8 STIG (Security Technical Implementation Guide):

      https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2021-12-03/finding/V-230259

      https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2021-12-03/finding/V-230258

      RPM building code starts at https://github.com/mongodb/mongo-tools/blob/c714431e657660968a5fd0eedebd0876fae2576e/release/release.go#L312

            Assignee:
            dave.rolsky@mongodb.com Dave Rolsky
            Reporter:
            jonathan.janos@mongodb.com Jonathan Janos
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: