[SERVER-12276] Don't allow non-admin users to have privileges outside of their db - MongoDB

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Works as Designed
Affects Version/s: None
Fix Version/s: None
Component/s: Security
Labels:
- 26qa

Operating System:
ALL

Description

Noticed the following inconsistency while testing 2.6 user-defined roles.

When logged in as a user with userAdminAnyDatabase, it's not possible to create a role in a non-admin database that has privileges outside of that database (good). However, it is possible to create a user in a non-admin database that has privileges outside of that database (see below). This struck me as a little inconsistent. Is there a reason for this? Should it be fixed?

> use admin

switched to db admin

> db.auth("jon","password")

> use foo

switched to db foo

> db.createRole({role:"readinany", privileges:[{resource:{db:"", collection:""}, actions:["find"]}], roles:[]})

2013-12-03T17:56:48.579+0000 Error: Roles on the 'foo' database cannot be granted privileges that target other databases

 or the cluster at src/mongo/shell/db.js:1294

> db.createUser({user:"bob",pwd:"password",roles:[{role:"readWrite", db:"bar"}]})

Successfully added user: {

        "user" : "bob",

        "roles" : [

                        "role" : "readWrite",

                        "db" : "bar"

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Jon Rangel

Participants:: Andy Schwerin, Jon Rangel

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: Jan 07 2014 06:09:09 PM UTC

Updated:: Dec 10 2014 11:10:21 PM UTC

Resolved:: Jan 07 2014 10:31:52 PM UTC