Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-14194

Password logged in error message for db.system.users.insert

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Won't Fix
    • Icon: Major - P3 Major - P3
    • None
    • 2.6.1
    • Security
    • ALL
    • Hide

      1. Enable auth on mongod
      2. Mongo client
      -Create admin user
      -Authenticate with admin user
      -Insert into system.users

      Show
      1. Enable auth on mongod 2. Mongo client -Create admin user -Authenticate with admin user -Insert into system.users

    Description

      The legacy method to create users, db.system.users.insert, can fail if the user does not have the proper access. In this case the password is exposed in both the mongod log and the error message propagated to the client:

      > db.system.users.insert({user:'dbuser', pwd: 'pwd', roles: ['readWrite']});
       m27000| 2014-06-06T13:13:28.706-0400 [conn1] Unauthorized not authorized on admin to execute command { insert: "system.users", documents: [ { _id: ObjectId('5391f6b83cbc4b1dc741c821'), user: "dbuser", pwd: "pwd", roles: [ "readWrite" ] } ], ordered: true }
      WriteResult({
      	"writeError" : {
      		"code" : 13,
      		"errmsg" : "not authorized on admin to execute command { insert: \"system.users\", documents: [ { _id: ObjectId('5391f6b83cbc4b1dc741c821'), user: \"dbuser\", pwd: \"pwd\", roles: [ \"readWrite\" ] } ], ordered: true }"
      	}
      })

      Attachments

        Activity

          People

            andreas.nilsson Andreas Nilsson
            jonathan.abrahams Jonathan Abrahams
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: