juju-core

mongodb runs as root user

Bug #1208430 reported by James Page
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
juju-core
Won't Fix
Medium
Unassigned
juju-core (Ubuntu)
Triaged
High
Unassigned

Bug Description

I noticed that the mongodb instance that juju creates runs as root; this is not great from a priviledge escalation point of view - if the database is compromised by some sort of zero-day exploit in the future, then access to the database might mean root access to the server its running on.

See original description
Tags: mongodb
James Page (james-page)
description: updated
Changed in juju-core (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
John A Meinel (jameinel) wrote :

Note that once we avoid direct access to the state db from agents and clients, we will have the mongo port blocked off by the cloud firewall. Which does limit the effectiveness of this.

We also run jujud itself as root, but generally we have to because we do things like creating LXC containers and installing packages on the machine.

Curtis Hovey (sinzui)
Changed in juju-core:
status: New → Triaged
importance: Undecided → High
tags: added: mongodb
James Page (james-page)
Changed in juju-core (Ubuntu):
importance: Medium → High
Revision history for this message
William Reade (fwereade) wrote :

Nate, I think this is *very* closely related to what you're working on right now -- would you roll this into your pipeline please?

Changed in juju-core:
assignee: nobody → Nate Finch (natefinch)
Mark Ramm (mark-ramm)
Changed in juju-core:
milestone: none → 1.18.0
Mark Ramm (mark-ramm)
Changed in juju-core:
importance: High → Critical
John A Meinel (jameinel)
Changed in juju-core:
milestone: 1.19.0 → none
assignee: Nate Finch (natefinch) → nobody
Revision history for this message
Mark Ramm (mark-ramm) wrote :

Reducing the security implications of running MongoDB is an important thing for us to do. It's not quite critical, because nobody is asking for it directly now, and the risk is still somewhat limited. But there is a risk, and I think the general policy of treating even security -- even relatively lower risk stuff -- as important is a good habit of mind for us.

We are going to be at the center of a lot of important developments. On the other hand once you can control the MongoDB server, your opportunities for privilege escalation on hosts in that environment are probably greater in other directions.

Revision history for this message
Nate Finch (natefinch) wrote :

So, yes, this is something that should be fixed, however, if you have access to the database, you can just add data to it to tell Juju to spin up a unit on the bootstrap node that runs as root and you can then do whatever you want with it. So, while it would be better for appearances' sake to not have mongodb running as root, it doesn't actually close any security holes to a determined attacker. In addition, it's a non-trivial change, since it means we have to create a new user to run mongo as, and in theory upgrade old environments to fix them as well. My suggestion is that we leave it as high and deal with it later.

Revision history for this message
Tim Penhey (thumper) wrote :

Critical is a "stop the line" type bug. No one is being assigned to it right now, so it isn't Critical.

Changed in juju-core:
importance: Critical → High
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju-core:
importance: High → Medium
Revision history for this message
Anastasia (anastasia-macmood) wrote :

Last comments and concerns on this discussion were raised more than 2 years ago.

Changed in juju-core:
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.