MongoDB at shared hosting: security surprises

If you have dedicated server/vps running multiple websites, or even worse, if you use a shared hosting with additional MongoDB installed, most probably you have security problems. You sleep well assuming that MongoDB authentication mechanism protects you the same way as MySql/Postgres does? Surprise!

By default mongodb’s directories and files are too permissive. Any user on the same server can just copy all your databases. Even if MongoDB isn’t accessible from the outside web (port is closed by firewall rules).

Check it yourself.

  1. Install MongoDB following official documentation.
  2. Register a new user “foobar” and login as foobar
  3. run under “foobar”:
tar czf $HOME/dump.tar.gz /var/lib/mongodb/

That’s all, you have a full copy of all DBs. If you expected “permission denied” error — welcome to the club.

The ticket about this issue exists for a couple of years and looks like nobody is in hurry to fix it or nobody considers it as a security threat. So I decided you should at least know about it.

This vulnerability especially affects web studios and freelancers who have multiple websites running on the same server under different users: any vulnerability in any of your site (even without MongoDB access like WordPress|Drupal plugin vulns) allows attacker to steal the whole DB data from your server, I mean all websites’ data that you have, not only vulnerable one’s

Shared hosting customers have even more problems — your neighbor can just read your database

The problem is even worse, I checked out many “How to install mongodb on AwesomeHostingPanel” articles and this issues was never mentioned. Also the official security documentation, instead of pointing on this, is misleading (you can find a mention about “encryption at rest”, which is not related to CE edition and only confuses)

Workarounds?

  1. If you need to run MongoDB instance on the server with other stuff, use virtualization or docker isolation
  2. Temporary you can try to fix the issue this way:
sudo chmod o-r /var/lib/mongodb

Also you should know that if you’re a good person and you have nothing to hide, you shouldn’t be worried. If someone ever tries to copy your databases I’m pretty sure he’ll have a good reason for that. Why not share? As you know in the modern world of love and trust even big companies upload their user databases to torrents pretending that was a hackers’ attack. We live at the opensource software era, why not to make the data open too?