Uploaded image for project: 'Percona Server for MongoDB'
  1. Percona Server for MongoDB
  2. PSMDB-257

MongoDB will not start with a group-readable keyFile owned as root

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: 3.6.8-2.0
    • Fix Version/s: 4.0.5-2, 3.6.10-3.0
    • Component/s: None
    • Labels:
      None

      Description

      Background: mongod checks file-based permissions of the 'keyFile' on startup. It will not start if it thinks the keyFile has an insecure owner+mode.

      Problem: when the keyFile is owned as root and is only readable to mongod via the 'group' bit (0440 for example), mongod fails to start complaining that the key is insecure.

      This is incorrect because a "root" owned file with "group-level" read and no "other" permissions is equally as secure as a "mongod" owned 0440-mode keyFile, which is allowed.

      Why does this matter?

      Kubernetes Secret files are always owned as root. We can give mongod the group-read bit to the keyFile, but it fails to start due to the problem above.

      Secondly, it's just incorrect to consider a file with this owner+mode insecure.

      Reproduction of the error:

      $ whoami
      tim
      $ openssl rand -base64 756 >keyfile
      $ sudo chown root.tim keyfile
      $ sudo chmod 0440 keyfile
      $ ls -alh keyfile 
      -r--r-----. 1 root tim 1.0K Nov 26 20:08 keyfile
      $ mongod --dbpath=$PWD --keyFile=$PWD/keyfile
      2018-11-26T20:11:23.542+0100 I ACCESS   [main] Initialized External Auth Session
      2018-11-26T20:11:23.549+0100 I ACCESS   [main] permissions on /home/tim/tmp/psmdbbug/keyfile are too open 

      Notice mongod will not start although only 'root' (who can read any file anyways) and the user running mongod can read the keyFile - which IS secure.

      Desired fix: consider a keyFile that is owned as 'root' (UID:0) and has a group-read bit to the mongod user as secure. Don't fail startup with an error because the keyFile IS secure.

      We should support modes (when owner is 'root'):

      1. 0440 (owner+group read)
      2. 0040 (group-only read)
      3. 0640 (owner read/write + group read)

        Smart Checklist

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  ibrar.ahmed Ibrar Ahmed
                  Reporter:
                  tim.vaillancourt Tim Vaillancourt (Inactive)
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - Not Specified
                    Not Specified
                    Logged:
                    Time Spent - 4 days, 40 minutes
                    4d 40m