Explore Developer Center's New Chatbot! MongoDB AI Chatbot can be accessed at the top of your navigation to answer all your MongoDB questions.

Join us at AWS re:Invent 2024! Learn how to use MongoDB for AI use cases.
MongoDB Developer
MongoDB
plus
Sign in to follow topics
MongoDB Developer Centerchevron-right
Developer Topicschevron-right
Productschevron-right
MongoDBchevron-right

Procedure to Allow Non-Root Users to Stop/Start/Restart "mongod" Process

Ella Shurhavetsky, Nuno Costa3 min read • Published Jan 27, 2022 • Updated May 16, 2022
MongoDBBash
Facebook Icontwitter iconlinkedin icon
Rate this tutorial
star-empty
star-empty
star-empty
star-empty
star-empty

Introduction

Systems' security plays a fundamental role in today's modern applications. It is very important to restrict non-authorized users' access to root capabilities. With this blog post, we intend to document how to avoid jeopardizing root system resources, but allow authorized, non-root users, to perform administrative operations on mongod processes such as starting or stopping the daemon.
The methodology is easily extensible to other administrative operations such as preventing non-authorized users from modifying mongod audit logs.
Use this procedure for Linux based systems to allow users with restricted permissions to stop/start/restart mongod processes. These users are set up under a non-root Linux group. Further, the Linux group of these users is different from the Linux user group under which the mongod process runs.

Considerations

WARNING: The procedure requires root access for the setup. Incorrect settings can lead to an unresponsive system, so always test on a development environment before implementing in production. Ensure you have a current backup of your data.
It's recommended to perform this procedure while setting up a new system. If it is not possible, perform the procedure during the maintenance window.
The settings will impact only one local system, thus in case of replica set or a sharded cluster perform the procedure in a rolling matter and never change all nodes at once.

Tested Linux flavors

  • CentOS 6|7
  • RHEL 6|7
  • Ubuntu 18.04
  • Amazon Linux 2
Disclaimer: For other Linux distributions the procedure should work in a similar way however, only the above versions were tested while writing this article.

Procedure

  • Add the user with limited permissions (replace testuser with your user):
1$ adduser testuser
2$ groupadd testgroup
  • Install MongoDB Community | Enterprise following our recommended procedures.
  • Edit the MongoDB configuration file /etc/mongod.conf permissions:
1$ sudo chown mongod:mongod /etc/mongod.conf
2$ sudo chmod 600 /etc/mongod.conf
3$ ls -l /etc/mongod.conf
4-rw-------. 1 mongod mongod 330 Feb 27 18:43 /etc/mongod.conf
With this configuration, only the mongod user (and root) will have permissions to access and edit the mongod.conf file. No other user will be allowed to read/write and have access to its content.

Systems running with systemd

This procedure works for CentOS 7 and RHEL 7.
  • Add the following configuration lines to the sudoers file with visudo:
1%mongod ALL =(ALL) NOPASSWD: /bin/systemctl start mongod.service, /bin/systemctl stop mongod.service, /bin/systemctl restart mongod.service
2%testuser ALL =(ALL) NOPASSWD: /bin/systemctl start mongod.service, /bin/systemctl stop mongod.service, /bin/systemctl restart mongod.service
Note: The root user account may become non-functional if a syntax error is introduced in the sudoers file.

Systems running with System V Init

This procedure works for CentOS 6, RHEL 6, Amazon Linux 2 and Ubuntu 18.04.
  • MongoDB init.d-mongod script is available on our repository here in case manual download is required (make sure you save it in the /etc/init.d/ directory with permissions set to 755).
  • Add the following configuration lines to the sudoers file with visudo:
For CentOS 6, RHEL 6 and Amazon Linux 2:
1%mongod ALL =(ALL) NOPASSWD: /sbin/service mongod start, /sbin/service mongod stop, /sbin/service mongod restart
2%testuser ALL =(ALL) NOPASSWD: /sbin/service mongod start, /sbin/service mongod stop, /sbin/service mongod restart
For Ubuntu 18.04:
1%mongod ALL =(ALL) NOPASSWD: /usr/sbin/service mongod start, /usr/sbin/service mongod stop, /usr/sbin/service mongod restart
2%testuser ALL =(ALL) NOPASSWD: /usr/sbin/service mongod start, /usr/sbin/service mongod stop, /usr/sbin/service mongod restart
Note: The root may become non-functional if a syntax error is introduced in the sudoers file.

Testing procedure

Systems running with systemd (systemctl service)

So with these settings testuser has no permissions to read /etc/mongod.conf but can start and stop the mongod service:
1[testuser@localhost ~]$ sudo /bin/systemctl start mongod.service
2[testuser@localhost ~]$ sudo /bin/systemctl stop mongod.service
3[testuser@localhost ~]$ vi /etc/mongod.conf
4"/etc/mongod.conf" [Permission Denied]
5[testuser@localhost ~]$ sudo vi /etc/mongod.conf
6"/etc/mongod.conf" [Permission Denied]
Note: The authorization is given when using the /bin/systemctl command. With this procedure, the sudo systemctl start mongod will prompt the sudo password for the testuser.

Systems running with System V Init

Use sudo service mongod [start|stop|restart]:
1[testuser@localhost ~]$ sudo service mongod start
2Starting mongod: [ OK ]
3[testuser@localhost ~]$ sudo service mongod stop
4Stopping mongod: [ OK ]
5[testuser@localhost ~]$ vi /etc/mongod.conf
6"/etc/mongod.conf" [Permission Denied]
7[testuser@localhost ~]$ sudo vi /etc/mongod.conf
8[sudo] password for testuser:
9Sorry, user testuser is not allowed to execute '/bin/vi /etc/mongod.conf' as root on localhost.
Note: Additionally, test restarting other services with the testuser with (and without) the required permissions.

Wrap Up

It is one of the critical security requirements, not to give unauthorized users full root privileges. With that requirement in mind, it is important for system administrators to know that it is possible to give access to actions like restart/stop/start for a mongod process (or any other process) without giving root privileges, using Linux systems capabilities.
If you have questions, please head to our developer community website where the MongoDB engineers and the MongoDB community will help you build your next big idea with MongoDB.

Facebook Icontwitter iconlinkedin icon
Rate this tutorial
star-empty
star-empty
star-empty
star-empty
star-empty
Related
Tutorial

How To Use The MongoDB Visual Studio Code Plugin


May 31, 2022 | 11 min read
Tutorial

Subscribe to MongoDB Change Streams Via WebSockets


Sep 23, 2022 | 3 min read
Tutorial

Client-Side Field Level Encryption (CSFLE) in MongoDB with Golang


Feb 03, 2023 | 15 min read
Quickstart

Quick Start: BSON Data Types - Date


Sep 23, 2022 | 2 min read
Table of Contents
  • Introduction