Permission denied to read file owned by user

J

5

7

I'm trying to restart (it is running) MongoDB on Ubuntu 14.04 but keep getting failures with this line in the log error getting file /srv/mongodb/keyfile: Permission denied

Here's directory structure

drwxr-xr-x  3 root    root     4096 Jan 31 05:54 srv/
drw-------  2 mongodb mongodb  4096 Jan 31 07:07 mongodb/
-rw-------  1 mongodb mongodb  876  Jan 31 07:07 keyfile

The user running mongod is "mongodb", group "mongodb" so it should be available for reading.

If I change permissions on mongodb/ and keyfile to -rw-r--r-- it becomes readable, but mongo claims it's too permissive of course

Going cookoo with this thing already. Any suggestion what's wrong here?

Jeana answered 31/1, 2015 at 12:23 Comment(0)

F

16

I've had the same problem before, and the solution I found and was not documented had to do with the context. If you are in Linux try:

ls -lahZ

That will display in list, all files, sizes in human readable and Z for contexts, I noticed that the keyFile must have "system_u:object_r:mongod_var_lib_t:s0" context, so it gets fixed with:

chcon system_u:object_r:mongod_var_lib_t:s0 mongodb-keyfile

Hope that helps!!

Fancie answered 20/5, 2015 at 1:1 Comment(7)

This was it! Can you please explain what the chcon cmd is adding to the keyfile permissions? – Stalagmite 7/2, 2017 at 19:37

It's a SELinux issue, the context determines which files or folders have which permissions according to type, additional to the user and group permissions, more info here: access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/… – Fancie 7/2, 2017 at 20:52

The keyfile was scp from primary host, and it had -r--------. mongod mongod unconfined_u:object_r:user_home_t:s0 keyfile. I used the chcon method you suggested and solved the issue. – Menes 7/4, 2017 at 16:18

The first step i must set mongodb-keyfile is own of mongod. – Nicotiana 5/6, 2017 at 10:58

I tried to SCP all files under dbpath from replica set primary in order to recover a stale secondary. I had to run chcon -R system_u:object_r:mongod_var_lib_t:s0 /var/lib/mongo and also chown -R mongod:mongod /var/lib/mongo to get the green light on service mongod start – Ruppert 20/3, 2018 at 4:9

@Fancie I just realised that I downvoted this one few weeks ago but this was not my intention. I cannot remove the vote anymore until you edit. Sorry for that. – Chengteh 5/2, 2022 at 10:21

@Fancie how do you know what the context should be?? I'm running into a similar issue related to /var/log/mongo/mongod.log, but I don't know where to look for the SELinux context! – Metritis 18/7 at 18:51

C

8

I got the mongod service working by changing the owner of the key file to mongod

sudo chown mongod:mongod mongodb.key

the mongod process owner is mongod which tries to access the file

Chaparral answered 5/12, 2018 at 15:18 Comment(2)

As you can see, the original post already had the right owner and permissions, that's why the top answer was not working for you, it asumed those were already in place. – Fancie 12/12, 2018 at 20:32

For me it was sudo chown mongod /etc/ssl/mongo.pem because mongodb automatically creates a new user mongod to run the server – Steels 2/4, 2020 at 22:43

A

4

In addition to read and write permission for a directory, usually you must have an execute permission as well (more info at http://en.wikipedia.org/wiki/File_system_permissions#Permissions). So, you have to set the following permissions:

chmod 700 /srv/mongodb/
chmod 600 /srv/mongodb/keyfile

Apiculate answered 1/2, 2015 at 12:0 Comment(1)

Mongo key file does not require for you to have execution permissions it's only the context that is wrong in this specific case. – Fancie 12/12, 2018 at 20:34

J

2

Since none of the answers here solved my problem, and I had the same problem exactly, I'll try to post what worked for me.

My solution:

Stop Mongo
Edit mongod.conf and temproraily comment out the attribute keyFile: /path/to/key
Start Mongo
sudo chown mongod </path/to/key>
sudo chmod 400 </path/to/key>
Remove comment from KeyFile attribute in mongod.conf
Restart Mongo

Hope this helps

Jolo answered 6/2, 2018 at 13:26 Comment(1)

As you can see, the original post already had the right owner and permissions, that's why the top answer was not working for you, it asumed those were already in place. – Fancie 12/12, 2018 at 20:32

S

2

As I wrote in this post, the comment was right, mongo needs permissions not only in the keyfile, but in the directory:

I have just moved my keyfile from my home user /home/user/keyfile to a directory where mongodb is owner: /var/lib/mongodb/keyfile. Also remember keyfile must have 400 permissions and be owner and group of mongodb: chmod 400 keyfile chwon mongodb:mongodb keyfile

Shalondashalt answered 13/10, 2023 at 3:2 Comment(0)

Recommended topics

Hot tags