Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-12713

Redact db.changeUserPassword() from shell command history

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Duplicate
    • Priority: Icon: Trivial - P5 Trivial - P5
    • None
    • Affects Version/s: 2.4.9
    • Component/s: Security, Shell
    • Labels:
      None
    • ALL
    • Hide

      [root@localhost ~]# mongo admin -u thisguy -p oldpassword --port 27001
      MongoDB shell version: 2.4.9
      connecting to: 127.0.0.1:27001/admin
      testset2:PRIMARY> db.changeUserPassword("thisguy", "newpassword")
      testset2:PRIMARY> exit
      bye
      [root@localhost ~]# mongo admin -u thisguy -p newpassword --port 27001
      MongoDB shell version: 2.4.9
      connecting to: 127.0.0.1:27001/admin
      testset2:PRIMARY> exit
      bye

      1. Login as a different user
        [root@localhost ~]# mongo admin -u daddy -p password --port 27001
        MongoDB shell version: 2.4.9
        connecting to: 127.0.0.1:27001/admin
      2. up arrow
        testset2:PRIMARY> db.changeUserPassword("thisguy", "newpassword")
      Show
      [root@localhost ~] # mongo admin -u thisguy -p oldpassword --port 27001 MongoDB shell version: 2.4.9 connecting to: 127.0.0.1:27001/admin testset2:PRIMARY> db.changeUserPassword("thisguy", "newpassword") testset2:PRIMARY> exit bye [root@localhost ~] # mongo admin -u thisguy -p newpassword --port 27001 MongoDB shell version: 2.4.9 connecting to: 127.0.0.1:27001/admin testset2:PRIMARY> exit bye Login as a different user [root@localhost ~] # mongo admin -u daddy -p password --port 27001 MongoDB shell version: 2.4.9 connecting to: 127.0.0.1:27001/admin up arrow testset2:PRIMARY> db.changeUserPassword("thisguy", "newpassword")

      The db.changeUserPassword() is in history. Any user that can connect to the mongo shell can use the uparrow to see the changed password in plain text.

      Workaround:
      Prehash the password and change it with something like the following:

      db.system.users.update(

      { "pwd" : "' + hashedoldpassword + '"}

      , { $set:

      { "pwd" : "' + hashednewpassword + '"}

      } )

            Assignee:
            Unassigned Unassigned
            Reporter:
            jeffery.schnick@nike.com Jeffery Schnick
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: