Hello, After reading this article[1] on how many totally unsecured mongodb installations there are on the internet, I noticed a recent (and worrying) change in the defaults on Fedora's mongodb package. In January, the Fedora rawhide package for mongo[2] was changed to listen on all interfaces by default, but I haven't been able to find any information about why it was changed. To help protect users, I think the default should be changed back to localhost only. Operators can change this setting post-install if needed, hopefully after assessing how risky it is to have an open-world database. This change could probably be reverted safely as-is, since (I hope) nobody is running production mongo clusters on rawhide. Debian and Ubuntu have mongodb set to (by default) only listen on localhost[3], which is sane and normal for a database that does *no authentication of any kind* by default. The same has been true of MongoDB Inc.'s[4] example config since approximately 2013[5]. [1]: http://thehackernews.com/2015/02/mongodb-database-hacking.html [2]: http://pkgs.fedoraproject.org/cgit/mongodb.git/tree/mongodb.conf?id=be37804b64d9a9b8e8f305d5a89a9c477deac619 [3]: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/utopic/mongodb/utopic/view/head:/debian/mongodb.conf [4]: https://github.com/mongodb/mongo/blob/master/rpm/mongod.conf [5]: https://github.com/mongodb/mongo/commit/f8699f77f90ff9b24d23729644ee7cd7ed0e9600 -- Ryan Brown / Software Engineer, Openstack / Red Hat, Inc. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
