Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mongo URI password visible in process list on Linux #561

Open
vineelyalamarthy opened this issue Sep 13, 2022 · 6 comments
Open

Mongo URI password visible in process list on Linux #561

vineelyalamarthy opened this issue Sep 13, 2022 · 6 comments

Comments

@vineelyalamarthy
Copy link

vineelyalamarthy commented Sep 13, 2022

Describe the bug
Exporter tries to connect with MongoDB using the URI to get the metrics.

Here is the URI format.

mongodb://[username:password@]host1[:port1][,...hostN[:portN]][/[defaultauthdb][?options]]

When we do ps -ef we are able to see the password even though we try to render the password via an env and this can be a security breach when we use this in production environment.

To Reproduce
Steps to reproduce the behavior:

  1. Install MongoDB 4.2 in either replica set mode or stand alone mode. (Though we believe Mongo version has nothing to do here)
  2. Run the binary (mongodb_exporter-0.7.1.linux-amd64.tar.gz) by providing the Mongo connection URI as shown above.

Expected behavior
When we go the terminal and do ps -ef, password should be redacted.

Logs
Please provide logs relevant to the issue

Environment

  • Linux
  • docker, k8s (1.22)
  • Mongo DB version 4.2.
@denisok
Copy link
Contributor

denisok commented Sep 13, 2022

similar request is in #380 . As a secure alternative so far you can use tls connection with --web.config which is Prometheus TLS config file.

Run the binary (mongodb_exporter-0.7.1.linux-amd64.tar.gz) 0.7.1 version is probably some very old or from different repo, current release is 0.34.x

@denisok
Copy link
Contributor

denisok commented Sep 14, 2022

hm. I mixed up the things, --web.config is the parameter for exporter itself. It will not help with connection to mongo. So yeah, concern is quite critical we need to address it.

@denisok
Copy link
Contributor

denisok commented Sep 14, 2022

workaround would be to use MONGODB_URI env var

URI string `name:"mongodb.uri" help:"MongoDB connection URI" env:"MONGODB_URI" placeholder:"mongodb://user:pass@127.0.0.1:27017/admin?ssl=true"`

also see #560

@denisok
Copy link
Contributor

denisok commented Sep 14, 2022

to make it clear --web-config is for exporter itself, but you still use tls in a connection URI: tls=truetlsCertificateKeyFile=Server.pem&tlsCAFile=ca.pem in connection string instead of password.

@adinandan
Copy link

the issue still seems to be there when we try to make mongo-uri as ENV

to make it clear --web-config is for exporter itself, but you still use tls in a connection URI: tls=truetlsCertificateKeyFile=Server.pem&tlsCAFile=ca.pem in connection string instead of password.

The issue still seems to be there when we try to make mongo_uri as ENV when we pass the user and password

@crankedguy
Copy link

I post that here because the other mentioned issues are container related (#380) or not related at all (#560) regarding the security implication. Will there be any progress on this? As correctly mentioned this is a high security risk and should not be necessary anywhere near production use.
Using an ENV does bring nothing good if this env has still to be passed on the command line, especially if you use the process via systemd or command line. Literally everyone on the system can read this.
If the env is only read from the application itself then this could make sense.
The other easy solution would be to just read a configuration file from the executable that contains user:pass or only pass if wanted. This configuration file can be restricted via system permissions easily, as it is done in many other exporters.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants