-
Type:
Bug
-
Resolution: Done
-
Priority:
Major - P3
-
None
-
Affects Version/s: 2.4.3
-
Component/s: Security
-
None
-
Environment:Ubuntu 10.04
-
ALL
-
None
-
3
-
None
-
None
-
None
-
None
-
None
-
None
I have users 'mampakha' and 'gor' (pls refer to the output of db.system.users.find() in the mongo shell interaction below for privilege details) on 'admin' database.
I initiate mongo shell for user 'mampakha' authenticating against 'test' database but connecting to 'admin' database.
Now on this same shell, I authenticate as user 'gor' using db.auth('gor', 'gor'). This user 'gor' has just 'read' privilege on 'admin' database.
Now I execute db.himal.insert(
) (where himal is a collection on 'admin' database) and it executes successfully. This should not have been allowed as 'gor' has just 'read' privilege on 'admin' database.
Could you please investigate this issue?
ravi@ravi-laptop:~$ mongo --port 27021 --authenticationDatabase test -u mampakha -p mampakha admin
MongoDB shell version: 2.4.3
connecting to: 127.0.0.1:27021/admin
> db
admin
> rs.status()
> db.system.users.find()
{ "_id" : ObjectId("519b70680662676664e559ba"), "pwd" : "f339ed38b24579da0ede4155f512f5cb", "roles" : [ "userAdminAnyDatabase", "clusterAdmin", "dbAdminAnyDatabase", "readWriteAnyDatabase" ], "user" : "pakhandi" } { "_id" : ObjectId("51c96e1484ae4576ab5cc36b"), "user" : "maloom", "pwd" : "05185521272a43524855f972b57b27b3", "roles" : [ "readWrite" ] }{ "_id" : ObjectId("51c96a1384ae4576ab5cc360"), "otherDBRoles" :
{ "resto" : [ "readWrite" ] }, "roles" : [ "userAdmin", "read", "readWrite" ], "user" : "mampakha", "userSource" : "test" }
{ "_id" : ObjectId("51cec37684ae2f40a8ef6a9b"), "user" : "gor", "pwd" : "f5faa32210f2c4c281f375b0299069f2", "roles" : [ "read" ] }> db.auth('gor', 'gor')
1
> db.himal.insert(
) //this should have failed
>