Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Unresolved
Priority: Major - P3
Fix Version/s: None
Affects Version/s: None
Component/s: Usability
Labels:
None

Assigned Teams:

Server Security
Operating System:
ALL
Sprint:
Platforms 2017-01-23
Linked BF Score:
0
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

It appears that in 2.6, while making the system.* collections harder to work directly with things seem to have gotten perhaps a bit too overzealous.

In particular, should someone have a collection names system.users in a database other than admin, it is effectively useless, yet a source of great confusion to some.

From https://github.com/mongodb/mongo/blame/562c8cb3faff5e9fc0acdc45db8dc2d498eb2000/src/mongo/db/catalog/database.cpp#L342 it would make sense for s.isSystem() to check if it's in the admin database or not.

Repro:

make a table called system.users in any database but admin.
attempt to delete it.
fail
give yourself __system role.
still fail.

Assignee:: [DO NOT USE] Backlog - Security Team
Reporter:: Rod Adams (Inactive)
Participants:: [DO NOT USE] Backlog - Security Team, Rod Adams, Sean Hyrich, Spencer Jackson
Votes:: 8 Vote for this issue
Watchers:: 13 Start watching this issue

Created:: Aug 21 2014 10:43:52 PM UTC
Updated:: Jan 02 2026 06:39:13 PM UTC

Details

Description

Attachments

Activity

People

Dates