Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-11063

users with roles readAnyDatabase or readWriteAnyDatabase should not be authorized to run the listDatabases command

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: None
    • Component/s: None
    • Labels:
    • Minor Change
    • ALL
    • Hide
      1. db.auth as a user with readAnyDatabase or readWriteAnyDatabase roles
      2. db.runCommand({listDatabases: 1})

      Expected result: command fails with "unauthorized"
      Actual result: command works

      Show
      db.auth as a user with readAnyDatabase or readWriteAnyDatabase roles db.runCommand({listDatabases: 1}) Expected result: command fails with "unauthorized" Actual result: command works

      In v2.4.6, only users with the role clusterAdmin are permitted to run the listDatabases command. In recent builds (I am running against githash 19cd20cbceccfb21fd4338a2a8d5e3ad1738581d), users without the clusterAdmin role can run listDatabases if they have either the readAnyDatabase or readWriteAnyDatabase roles.

      The desired behavior is that from v2.4.6--readAnyDatabase or readWriteAnyDatabase should NOT provide listDatabases permission.

            Assignee:
            Unassigned Unassigned
            Reporter:
            david.storch@mongodb.com David Storch
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: