mongodb_exporter icon indicating copy to clipboard operation
mongodb_exporter copied to clipboard

Published 20 hours ago verified publisher icon percona

Mongo URI password visible in process list on Linux

Open vineelyalamarthy opened this issue 3 years ago • 6 comments

Describe the bug Exporter tries to connect with MongoDB using the URI to get the metrics.

Here is the URI format.

mongodb://[username:password@]host1[:port1][,...hostN[:portN]][/[defaultauthdb][?options]]

When we do ps -ef we are able to see the password even though we try to render the password via an env and this can be a security breach when we use this in production environment.

To Reproduce Steps to reproduce the behavior:

  1. Install MongoDB 4.2 in either replica set mode or stand alone mode. (Though we believe Mongo version has nothing to do here)
  2. Run the binary (mongodb_exporter-0.7.1.linux-amd64.tar.gz) by providing the Mongo connection URI as shown above.

Expected behavior When we go the terminal and do ps -ef, password should be redacted.

Logs Please provide logs relevant to the issue

Environment

  • Linux
  • docker, k8s (1.22)
  • Mongo DB version 4.2.

vineelyalamarthy avatar Sep 13 '22 17:09 vineelyalamarthy

similar request is in #380 . As a secure alternative so far you can use tls connection with --web.config which is Prometheus TLS config file.

Run the binary (mongodb_exporter-0.7.1.linux-amd64.tar.gz) 0.7.1 version is probably some very old or from different repo, current release is 0.34.x

denisok avatar Sep 13 '22 17:09 denisok

hm. I mixed up the things, --web.config is the parameter for exporter itself. It will not help with connection to mongo. So yeah, concern is quite critical we need to address it.

denisok avatar Sep 14 '22 12:09 denisok

workaround would be to use MONGODB_URI env var https://github.com/percona/mongodb_exporter/blob/ac324239e20444021f26555af5c8fb1f4d395590/main.go#L40

also see #560

denisok avatar Sep 14 '22 13:09 denisok

to make it clear --web-config is for exporter itself, but you still use tls in a connection URI: tls=truetlsCertificateKeyFile=Server.pem&tlsCAFile=ca.pem in connection string instead of password.

denisok avatar Sep 14 '22 16:09 denisok

the issue still seems to be there when we try to make mongo-uri as ENV

to make it clear --web-config is for exporter itself, but you still use tls in a connection URI: tls=truetlsCertificateKeyFile=Server.pem&tlsCAFile=ca.pem in connection string instead of password.

The issue still seems to be there when we try to make mongo_uri as ENV when we pass the user and password

adinandan avatar Oct 13 '22 14:10 adinandan

I post that here because the other mentioned issues are container related (https://github.com/percona/mongodb_exporter/issues/380) or not related at all (https://github.com/percona/mongodb_exporter/pull/560) regarding the security implication. Will there be any progress on this? As correctly mentioned this is a high security risk and should not be necessary anywhere near production use. Using an ENV does bring nothing good if this env has still to be passed on the command line, especially if you use the process via systemd or command line. Literally everyone on the system can read this. If the env is only read from the application itself then this could make sense. The other easy solution would be to just read a configuration file from the executable that contains user:pass or only pass if wanted. This configuration file can be restricted via system permissions easily, as it is done in many other exporters.

crankedguy avatar Jul 22 '23 18:07 crankedguy