Skip to main content

Is it so easy to hack mongodb database? [Resolved]

Is it so easy to hack mongodb database?

I created a mongodb database and added users. If I want to allow access only to these users I need to add the following parameters to the config file:

  authorization: enabled

  authenticationMechanisms: SCRAM-SHA-1

After adding those parameters to the config file, the database requires authentication.

But a hacker can simply remove the security section from the config file and access all the stored data. Am I missing something?

Question Credit: Codey
Question Reference
Asked September 10, 2019
Posted Under: Security
1 Answers

While this is true, that is true for many applications. If the attacker already has access to the file system it is far too late to worry about your database server. In unix-type operating systems, the configuration file should be accessible only as root (as it is in /etc/mongodb/mongodb.conf). If the attacker has root privileges to change that file, you're boned anyway. Alternatively, the attacker could simply copy the underlying database-files, run his own mongo database server and create his own user or use it without authentication to get to your data. To prevent this, only the user that the database runs under should have access to those files.

So the issue, in this case, isn't mongo, but the security of the whole system and the stack of controls, of which securing the configuration file is one. Authentication checking is useful only when the access is coming from outside and can't be bypassed.

credit: MechMK1
Answered September 10, 2019
Your Answer