Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-14194

Password logged in error message for db.system.users.insert

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Won't Fix
    • Affects Version/s: 2.6.1
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
    • Operating System:
      ALL
    • Steps To Reproduce:
      Hide

      1. Enable auth on mongod
      2. Mongo client
      -Create admin user
      -Authenticate with admin user
      -Insert into system.users

      Show
      1. Enable auth on mongod 2. Mongo client -Create admin user -Authenticate with admin user -Insert into system.users

      Description

      The legacy method to create users, db.system.users.insert, can fail if the user does not have the proper access. In this case the password is exposed in both the mongod log and the error message propagated to the client:

      > db.system.users.insert({user:'dbuser', pwd: 'pwd', roles: ['readWrite']});
       m27000| 2014-06-06T13:13:28.706-0400 [conn1] Unauthorized not authorized on admin to execute command { insert: "system.users", documents: [ { _id: ObjectId('5391f6b83cbc4b1dc741c821'), user: "dbuser", pwd: "pwd", roles: [ "readWrite" ] } ], ordered: true }
      WriteResult({
      	"writeError" : {
      		"code" : 13,
      		"errmsg" : "not authorized on admin to execute command { insert: \"system.users\", documents: [ { _id: ObjectId('5391f6b83cbc4b1dc741c821'), user: \"dbuser\", pwd: \"pwd\", roles: [ \"readWrite\" ] } ], ordered: true }"
      	}
      })

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: