SERVER-22829 Strip group and other permissions on startup unless overridden

1 files changed, 21 insertions, 0 deletions

diff --git a/src/mongo/db/initialize_server_global_state.cpp b/src/mongo/db/initialize_server_global_state.cpp
index c6c02cbb665..a5afba668b7 100644
--- a/src/mongo/db/initialize_server_global_state.cpp
+++ b/src/mongo/db/initialize_server_global_state.cpp
@@ -38,6 +38,7 @@
 #include <signal.h>
 
 #ifndef _WIN32
+#include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <syslog.h>
@@ -51,6 +52,7 @@
 #include "mongo/db/auth/internal_user_auth.h"
 #include "mongo/db/auth/security_key.h"
 #include "mongo/db/server_options.h"
+#include "mongo/db/server_parameters.h"
 #include "mongo/logger/console_appender.h"
 #include "mongo/logger/logger.h"
 #include "mongo/logger/message_event.h"
@@ -336,6 +338,25 @@ MONGO_INITIALIZER(RegisterShortCircuitExitHandler)(InitializerContext*) {
     return Status::OK();
 }
 
+// On non-windows platforms, drop rwx for group and other unless the
+// user has opted into using the system umask. To do so, we first read
+// out the current umask (by temporarily setting it to
+// no-permissions), and then or the returned umask with the
+// restrictions we want to apply and set it back. The overall effect
+// is to set the bits for 'other' and 'group', but leave umask bits
+// bits for 'user' unaltered.
+#ifndef _WIN32
+namespace {
+MONGO_EXPORT_STARTUP_SERVER_PARAMETER(honorSystemUmask, bool, false);
+MONGO_INITIALIZER(MungeUmask)(InitializerContext*) {
+    if (!honorSystemUmask) {
+        umask(umask(S_IRWXU | S_IRWXG | S_IRWXO) | S_IRWXG | S_IRWXO);
+    }
+    return Status::OK();
+}
+}  // namespace
+#endif
+
 bool initializeServerGlobalState() {
     Listener::globalTicketHolder.resize(serverGlobalParams.maxConns).transitional_ignore();