Default UNIX permissions of Mongodb files in the hard drive

Question

I noticed that the files in the data/ directory, hosting the databases and collections, are the r permission for others.

So basically, anyone can read the data! Isn't it strange, or is it something I'm missing?

I found no solution to change this behavior in the mondodb configuration (ubuntu 18.04). When you search mongodb file permissions, you will find threads about user permissions inside the database.

Thank you!

Answer 1

When you launch mongod you need to specify a path to the data directory, and this directory must already exist.

You can set the permissions on this directory to deny world-read access by running:

chmod o-rwx /path/to/data/dir

Normally this would be done prior to the first start of mongod.

Once this is done, none of the files in the data directory will be world-readable regardless of their individual permissions.

MongoDB does not need to have a provision to do this because it never creates the data directory.

A different way of accomplishing similar end result is to use umask, but changing permissions on data directory generally would be more reliable.

Answer 2

Im going to assume you're using WiredTiger, the default storage engine for mongo. Either way, the same concept applies.

You'll see the .wt files (the ones you're talking about), although readable by permission, are not very readable to the eye. Try look for yourself with less <example>.wt.

They're stored in a specific format, with compression and some encryption. Realistically, they shouldn't be able to be retrieved from outside of your server - and your users in the server should trusted, or given limited access to the locations of these files.

In short, if you apply the proper policies, and keep your actual database and server secure, then this is normal and expected. I hope this makes sense.