Uploaded image for project: 'MongoDB Shell'
  1. MongoDB Shell
  2. MONGOSH-1298

Upon connection, mongosh runs commands that require authentication, even when authentication was not requested

    XMLWordPrintable

Details

    • Bug
    • Status: Needs Triage
    • Minor - P4
    • Resolution: Unresolved
    • None
    • None
    • Connectivity

    Description

      Problem Statement/Rationale

      mongosh, when invoked with a connection but not authentication, runs several commands that require authentication as part of its initial connection sequence. These commands cause authorization failures that can be logged in the audit log. These can raise security concerns.

      Steps to Reproduce

      Create a local mongod with auth enabled. Here we used 6.0.1 but it is not dependent on the mongod release. Enable auditing.

      Terminal session:

      [ec2-user@ip-10-0-1-198 repros]$ mongosh
      Current Mongosh Log ID:	6324e9ed23329d796894cbc8
      Connecting to:		mongodb://127.0.0.1:27017/?directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+1.5.4
      Using MongoDB:		6.0.1
      Using Mongosh:		1.5.4
       
      For mongosh info see: https://docs.mongodb.com/mongodb-shell/
       
      Warning: Found ~/.mongorc.js, but not ~/.mongoshrc.js. ~/.mongorc.js will not be loaded.
        You may want to copy or rename ~/.mongorc.js to ~/.mongoshrc.js.
      Enterprise test>exit
      [ec2-user@ip-10-0-1-198 repros]$
      

      Expected Results

      The audit log has no "authcheck" messages related to this mongosh invocation, because mongosh does not try to run commands that require authentication when the session is not authenticated.

      Actual Results

      The audit log says:

      { "atype" : "clientMetadata", "ts" : { "$date" : "2022-09-16T21:26:05.543+00:00" }, "uuid" : { "$binary" : "jlVNi17wSveArDV3W51aTQ==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 54162 }, "users" : [], "roles" : [], "param" : { "localEndpoint" : { "ip" : "127.0.0.1", "port" : 27017 }, "clientMetadata" : { "driver" : { "name" : "nodejs|mongosh", "version" : "4.8.1" }, "os" : { "type" : "Linux", "name" : "linux", "architecture" : "x64", "version" : "4.14.285-215.501.amzn2.x86_64" }, "platform" : "Node.js v16.16.0, LE (unified)", "version" : "4.8.1|1.5.4", "application" : { "name" : "mongosh 1.5.4" } } }, "result" : 0 }
      { "atype" : "authCheck", "ts" : { "$date" : "2022-09-16T21:26:05.547+00:00" }, "uuid" : { "$binary" : "HWZsnQnTRji0NpLl2oX19Q==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 54148 }, "users" : [], "roles" : [], "param" : { "command" : "getParameter", "ns" : "admin" }, "result" : 13 }
      { "atype" : "authCheck", "ts" : { "$date" : "2022-09-16T21:26:05.548+00:00" }, "uuid" : { "$binary" : "jlVNi17wSveArDV3W51aTQ==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 54162 }, "users" : [], "roles" : [], "param" : { "command" : "getCmdLineOpts", "ns" : "admin" }, "result" : 13 }
      { "atype" : "clientMetadata", "ts" : { "$date" : "2022-09-16T21:26:05.548+00:00" }, "uuid" : { "$binary" : "DE4NKxltTHuvV+fdGdBiIw==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 54166 }, "users" : [], "roles" : [], "param" : { "localEndpoint" : { "ip" : "127.0.0.1", "port" : 27017 }, "clientMetadata" : { "driver" : { "name" : "nodejs|mongosh", "version" : "4.8.1" }, "os" : { "type" : "Linux", "name" : "linux", "architecture" : "x64", "version" : "4.14.285-215.501.amzn2.x86_64" }, "platform" : "Node.js v16.16.0, LE (unified)", "version" : "4.8.1|1.5.4", "application" : { "name" : "mongosh 1.5.4" } } }, "result" : 0 }
      { "atype" : "authCheck", "ts" : { "$date" : "2022-09-16T21:26:05.643+00:00" }, "uuid" : { "$binary" : "jlVNi17wSveArDV3W51aTQ==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 54162 }, "users" : [], "roles" : [], "param" : { "command" : "getLog", "ns" : "admin" }, "result" : 13 }
      { "atype" : "authCheck", "ts" : { "$date" : "2022-09-16T21:26:05.643+00:00" }, "uuid" : { "$binary" : "HWZsnQnTRji0NpLl2oX19Q==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 54148 }, "users" : [], "roles" : [], "param" : { "command" : "getFreeMonitoringStatus", "ns" : "admin" }, "result" : 13 }
      { "atype" : "clientMetadata", "ts" : { "$date" : "2022-09-16T21:26:16.045+00:00" }, "uuid" : { "$binary" : "gghQpnwNS6aS1z/zBzd2kw==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 38572 }, "users" : [], "roles" : [], "param" : { "localEndpoint" : { "ip" : "127.0.0.1", "port" : 27017 }, "clientMetadata" : { "driver" : { "name" : "nodejs|mongosh", "version" : "4.8.1" }, "os" : { "type" : "Linux", "name" : "linux", "architecture" : "x64", "version" : "4.14.285-215.501.amzn2.x86_64" }, "platform" : "Node.js v16.16.0, LE (unified)", "version" : "4.8.1|1.5.4", "application" : { "name" : "mongosh 1.5.4" } } }, "result" : 0 }
      

      Note that the "getParameter", "getCmdLineOpts", getLog", and "getFreeMonitoringStatus" commands are run by mongosh and rejected as unauthorized, because the session is not authenticated.

      Attachments

        Activity

          People

            Unassigned Unassigned
            spencer.brown@mongodb.com Spencer Brown
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated: