Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-13232

resetDbpath() ignores authentication

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major - P3
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: Backlog
    • Component/s: Security, Shell
    • Labels:
    • Environment:
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL

      Description

      resetDbpath('/path') seems to be a mongo shell test function which is left enabled by default. It recursively removes the specified path (and {{mkdir()}}s a new directory with the same name).

      Since it is run in the shell, it runs without regards to authentication. If the shell user has write access (or is root) to the specified path, all files are removed. Since it's run in the shell and is not a dbcommand, no message is logged to the server.

      Note that startMongodEmpty is similarly destructive.

      Reproduce:

      mongo --eval 'resetDbpath("/data/db")'
      mongo --eval 'startMongodEmpty("--dbpath", "/data/db", "--port" , "9999")'

        Attachments

          Activity

            People

            Assignee:
            backlog-server-stm Backlog - Server Tooling and Methods (STM)
            Reporter:
            epc Ed Costello
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Dates

              Created:
              Updated: