Uploaded image for project: 'Percona Server for MongoDB'
  1. Percona Server for MongoDB
  2. PSMDB-257

MongoDB will not start with a group-readable keyFile owned as root


    • Type: Bug
    • Status: Done
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: 3.6.8-2.0
    • Fix Version/s: 4.0.5-2, 3.6.10-3.0
    • Component/s: None
    • Labels:


      Background: mongod checks file-based permissions of the 'keyFile' on startup. It will not start if it thinks the keyFile has an insecure owner+mode.

      Problem: when the keyFile is owned as root and is only readable to mongod via the 'group' bit (0440 for example), mongod fails to start complaining that the key is insecure.

      This is incorrect because a "root" owned file with "group-level" read and no "other" permissions is equally as secure as a "mongod" owned 0440-mode keyFile, which is allowed.

      Why does this matter?

      Kubernetes Secret files are always owned as root. We can give mongod the group-read bit to the keyFile, but it fails to start due to the problem above.

      Secondly, it's just incorrect to consider a file with this owner+mode insecure.

      Reproduction of the error:

      $ whoami
      $ openssl rand -base64 756 >keyfile
      $ sudo chown root.tim keyfile
      $ sudo chmod 0440 keyfile
      $ ls -alh keyfile 
      -r--r-----. 1 root tim 1.0K Nov 26 20:08 keyfile
      $ mongod --dbpath=$PWD --keyFile=$PWD/keyfile
      2018-11-26T20:11:23.542+0100 I ACCESS   [main] Initialized External Auth Session
      2018-11-26T20:11:23.549+0100 I ACCESS   [main] permissions on /home/tim/tmp/psmdbbug/keyfile are too open 

      Notice mongod will not start although only 'root' (who can read any file anyways) and the user running mongod can read the keyFile - which IS secure.

      Desired fix: consider a keyFile that is owned as 'root' (UID:0) and has a group-read bit to the mongod user as secure. Don't fail startup with an error because the keyFile IS secure.

      We should support modes (when owner is 'root'):

      1. 0440 (owner+group read)
      2. 0040 (group-only read)
      3. 0640 (owner read/write + group read)

        Smart Checklist


            Issue Links



                • Assignee:
                  ibrar.ahmed Ibrar Ahmed
                  tim.vaillancourt Tim Vaillancourt (Inactive)
                • Votes:
                  0 Vote for this issue
                  6 Start watching this issue


                  • Created:

                    Time Tracking

                    Original Estimate - Not Specified
                    Not Specified
                    Remaining Estimate - Not Specified
                    Not Specified
                    Time Spent - 4 days, 40 minutes
                    4d 40m