Uploaded image for project: 'MongoDB Shell'
  1. MongoDB Shell
  2. MONGOSH-1298

Upon connection, mongosh runs commands that require authentication, even when authentication was not requested

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Unresolved
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: None
    • Component/s: Connectivity
    • None

      Problem Statement/Rationale

      mongosh, when invoked with a connection but not authentication, runs several commands that require authentication as part of its initial connection sequence. These commands cause authorization failures that can be logged in the audit log. These can raise security concerns.

      Steps to Reproduce

      Create a local mongod with auth enabled. Here we used 6.0.1 but it is not dependent on the mongod release. Enable auditing.

      Terminal session:

      [ec2-user@ip-10-0-1-198 repros]$ mongosh
Current Mongosh Log ID:	6324e9ed23329d796894cbc8
Connecting to:		mongodb://127.0.0.1:27017/?directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+1.5.4
Using MongoDB:		6.0.1
Using Mongosh:		1.5.4

For mongosh info see: https://docs.mongodb.com/mongodb-shell/

Warning: Found ~/.mongorc.js, but not ~/.mongoshrc.js. ~/.mongorc.js will not be loaded.
  You may want to copy or rename ~/.mongorc.js to ~/.mongoshrc.js.
Enterprise test>exit
[ec2-user@ip-10-0-1-198 repros]$

      Expected Results

      The audit log has no "authcheck" messages related to this mongosh invocation, because mongosh does not try to run commands that require authentication when the session is not authenticated.

      Actual Results

      The audit log says:

      { "atype" : "clientMetadata", "ts" : { "$date" : "2022-09-16T21:26:05.543+00:00" }, "uuid" : { "$binary" : "jlVNi17wSveArDV3W51aTQ==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 54162 }, "users" : [], "roles" : [], "param" : { "localEndpoint" : { "ip" : "127.0.0.1", "port" : 27017 }, "clientMetadata" : { "driver" : { "name" : "nodejs|mongosh", "version" : "4.8.1" }, "os" : { "type" : "Linux", "name" : "linux", "architecture" : "x64", "version" : "4.14.285-215.501.amzn2.x86_64" }, "platform" : "Node.js v16.16.0, LE (unified)", "version" : "4.8.1|1.5.4", "application" : { "name" : "mongosh 1.5.4" } } }, "result" : 0 }
{ "atype" : "authCheck", "ts" : { "$date" : "2022-09-16T21:26:05.547+00:00" }, "uuid" : { "$binary" : "HWZsnQnTRji0NpLl2oX19Q==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 54148 }, "users" : [], "roles" : [], "param" : { "command" : "getParameter", "ns" : "admin" }, "result" : 13 }
{ "atype" : "authCheck", "ts" : { "$date" : "2022-09-16T21:26:05.548+00:00" }, "uuid" : { "$binary" : "jlVNi17wSveArDV3W51aTQ==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 54162 }, "users" : [], "roles" : [], "param" : { "command" : "getCmdLineOpts", "ns" : "admin" }, "result" : 13 }
{ "atype" : "clientMetadata", "ts" : { "$date" : "2022-09-16T21:26:05.548+00:00" }, "uuid" : { "$binary" : "DE4NKxltTHuvV+fdGdBiIw==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 54166 }, "users" : [], "roles" : [], "param" : { "localEndpoint" : { "ip" : "127.0.0.1", "port" : 27017 }, "clientMetadata" : { "driver" : { "name" : "nodejs|mongosh", "version" : "4.8.1" }, "os" : { "type" : "Linux", "name" : "linux", "architecture" : "x64", "version" : "4.14.285-215.501.amzn2.x86_64" }, "platform" : "Node.js v16.16.0, LE (unified)", "version" : "4.8.1|1.5.4", "application" : { "name" : "mongosh 1.5.4" } } }, "result" : 0 }
{ "atype" : "authCheck", "ts" : { "$date" : "2022-09-16T21:26:05.643+00:00" }, "uuid" : { "$binary" : "jlVNi17wSveArDV3W51aTQ==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 54162 }, "users" : [], "roles" : [], "param" : { "command" : "getLog", "ns" : "admin" }, "result" : 13 }
{ "atype" : "authCheck", "ts" : { "$date" : "2022-09-16T21:26:05.643+00:00" }, "uuid" : { "$binary" : "HWZsnQnTRji0NpLl2oX19Q==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 54148 }, "users" : [], "roles" : [], "param" : { "command" : "getFreeMonitoringStatus", "ns" : "admin" }, "result" : 13 }
{ "atype" : "clientMetadata", "ts" : { "$date" : "2022-09-16T21:26:16.045+00:00" }, "uuid" : { "$binary" : "gghQpnwNS6aS1z/zBzd2kw==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 38572 }, "users" : [], "roles" : [], "param" : { "localEndpoint" : { "ip" : "127.0.0.1", "port" : 27017 }, "clientMetadata" : { "driver" : { "name" : "nodejs|mongosh", "version" : "4.8.1" }, "os" : { "type" : "Linux", "name" : "linux", "architecture" : "x64", "version" : "4.14.285-215.501.amzn2.x86_64" }, "platform" : "Node.js v16.16.0, LE (unified)", "version" : "4.8.1|1.5.4", "application" : { "name" : "mongosh 1.5.4" } } }, "result" : 0 }

      Note that the "getParameter", "getCmdLineOpts", getLog", and "getFreeMonitoringStatus" commands are run by mongosh and rejected as unauthorized, because the session is not authenticated.

            Assignee:
            Unassigned Unassigned
            Reporter:
            spencer.brown@mongodb.com Spencer Brown
            Votes:
            1 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated: