Security issue, listening public incoming connections by default

[GenaANTG]

Guys, please explain me some moments about a mongodb configuration file.

There we have moving a mongodb config:
https://github.com/docker-library/mongo/blob/master/4.2/Dockerfile#L98

There we have a CMD directive:
https://github.com/docker-library/mongo/blob/master/4.2/Dockerfile#L108

And this block, with arguments checking:
https://github.com/docker-library/mongo/blob/master/4.2/docker-entrypoint.sh#L346-L356

Are you really run naked mongodb instance? You are moving mongodb config away, but don't use this config.

We have running staging mongodb instance. And this instance was hacked after some hours after project running :D Because mongodb by default is running with those params: mongod --bind_ip_all.

By default everyone can connect to a public mongodb instance. I suppose, that better way is using the mongodb config by default with a local interface binding. What do you think?

[yosifkit]

There we have moving a mongodb config:

The config file is moved so that users don't assume that mongod will use it by default (it won't, it needs to be passed via --config).

Binding a service in a container to localhost is useless for most users, since then other containers (even on the same host) cannot connect. The only way to reasonably have other containers connect is to default to --bind_ip_all. Of course, the entrypoint is written so that you can override our bind_ip_all by passing in your own --bind_ip via flags or in a config file.

Also, containers are not available outside the Docker host unless you specifically add a published port -p on docker run. So I'd recommend that you either not publish your MongoDB instance to the world, or add authentication if you need to have a publicly exposed port.

$ # safe
$ docker run -d mongo:4.2

$  # not safe if host is publicly accessible
$ docker run -d -p 27017:27017 mongo:4.2

$ # also safe (assuming the password is good)
$ # this will create a superuser on `--authenticationDatabase admin`
$ # any other users would need to be created manually or via `/docker-entrypoint-initdb.d/*.[sh,js]`
$ docker run -d -p 27017:27017 \
  -e MONGO_INITDB_ROOT_USERNAME=mongoadmin \
  -e MONGO_INITDB_ROOT_PASSWORD=secret \
  mongo:4.2

[GenaANTG]

Thanks you for an explanation!

[godmar]

@yosifkit

Please consider warning about this explicitly at https://hub.docker.com/_/mongo

By this, I mean that:

• mongodb in your container image doesn't have a password set up
• listens on all interfaces
• when mapped with the standard -p hostport:containerport will expose a passwordless database to the Internet.

Really, why is there not a big warning on your Docker hub page?