Procedure to Allow Non-Root Users to Stop/Start/Restart "mongod" Process
Rate this tutorial
Systems' security plays a fundamental role in today's modern
applications. It is very important to restrict non-authorized users'
access to root capabilities. With this blog post, we intend to document
how to avoid jeopardizing root system resources, but allow authorized,
non-root users, to perform administrative operations on
mongod
processes such as starting or stopping the daemon.The methodology is easily extensible to other administrative operations
such as preventing non-authorized users from modifying
mongod
audit
logs.Use this procedure for Linux based systems to allow users with
restricted permissions to stop/start/restart
mongod
processes. These
users are set up under a non-root Linux group. Further, the Linux group
of these users is different from the Linux user group under which the
mongod
process runs.WARNING: The procedure requires root access for the setup. Incorrect
settings can lead to an unresponsive system, so always test on a
development environment before implementing in production. Ensure you
have a current backup of your data.
It's recommended to perform this procedure while setting up a new
system. If it is not possible, perform the procedure during the
maintenance window.
The settings will impact only one local system, thus in case of replica
set or a sharded cluster perform the procedure in a rolling matter and
never change all nodes at once.
- CentOS 6|7
- RHEL 6|7
- Ubuntu 18.04
- Amazon Linux 2
Disclaimer: For other Linux distributions the procedure should work in a
similar way however, only the above versions were tested while writing
this article.
- Add the user with limited permissions (replace testuser with your user):
1 $ adduser testuser 2 $ groupadd testgroup
- Edit the MongoDB configuration file
/etc/mongod.conf
permissions:
1 $ sudo chown mongod:mongod /etc/mongod.conf 2 $ sudo chmod 600 /etc/mongod.conf 3 $ ls -l /etc/mongod.conf 4 -rw-------. 1 mongod mongod 330 Feb 27 18:43 /etc/mongod.conf
With this configuration, only the mongod user (and root) will have
permissions to access and edit the
mongod.conf
file. No other user
will be allowed to read/write and have access to its content.This procedure works for CentOS 7 and RHEL 7.
1 %mongod ALL =(ALL) NOPASSWD: /bin/systemctl start mongod.service, /bin/systemctl stop mongod.service, /bin/systemctl restart mongod.service 2 %testuser ALL =(ALL) NOPASSWD: /bin/systemctl start mongod.service, /bin/systemctl stop mongod.service, /bin/systemctl restart mongod.service
Note: The root user account may become non-functional if a syntax error
is introduced in the sudoers file.
This procedure works for CentOS 6, RHEL 6, Amazon Linux 2 and Ubuntu
18.04.
- MongoDB init.d-mongod script is available on our repository here in case manual download is required (make sure you save it in the /etc/init.d/ directory with permissions set to 755).
For CentOS 6, RHEL 6 and Amazon Linux 2:
1 %mongod ALL =(ALL) NOPASSWD: /sbin/service mongod start, /sbin/service mongod stop, /sbin/service mongod restart 2 %testuser ALL =(ALL) NOPASSWD: /sbin/service mongod start, /sbin/service mongod stop, /sbin/service mongod restart
For Ubuntu 18.04:
1 %mongod ALL =(ALL) NOPASSWD: /usr/sbin/service mongod start, /usr/sbin/service mongod stop, /usr/sbin/service mongod restart 2 %testuser ALL =(ALL) NOPASSWD: /usr/sbin/service mongod start, /usr/sbin/service mongod stop, /usr/sbin/service mongod restart
Note: The root may become non-functional if a syntax error is introduced
in the sudoers file.
So with these settings testuser has no permissions to read
/etc/mongod.conf but can start and stop the mongod service:
1 [testuser@localhost ~]$ sudo /bin/systemctl start mongod.service 2 [testuser@localhost ~]$ sudo /bin/systemctl stop mongod.service 3 [testuser@localhost ~]$ vi /etc/mongod.conf 4 "/etc/mongod.conf" [Permission Denied] 5 [testuser@localhost ~]$ sudo vi /etc/mongod.conf 6 "/etc/mongod.conf" [Permission Denied]
Note: The authorization is given when using the
/bin/systemctl
command. With this procedure, the sudo systemctl start mongod
will
prompt the sudo password for the testuser.Use sudo service mongod [start|stop|restart]:
1 [testuser@localhost ~]$ sudo service mongod start 2 Starting mongod: [ OK ] 3 [testuser@localhost ~]$ sudo service mongod stop 4 Stopping mongod: [ OK ] 5 [testuser@localhost ~]$ vi /etc/mongod.conf 6 "/etc/mongod.conf" [Permission Denied] 7 [testuser@localhost ~]$ sudo vi /etc/mongod.conf 8 [sudo] password for testuser: 9 Sorry, user testuser is not allowed to execute '/bin/vi /etc/mongod.conf' as root on localhost.
Note: Additionally, test restarting other services with the testuser
with (and without) the required permissions.
It is one of the critical security requirements, not to give
unauthorized users full root privileges. With that requirement in mind,
it is important for system administrators to know that it is possible to
give access to actions like restart/stop/start for a
mongod
process
(or any other process) without giving root privileges, using Linux
systems capabilities.If you have questions, please head to our developer community
website where the MongoDB engineers and
the MongoDB community will help you build your next big idea with
MongoDB.