Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-24847

Authentication on multiple databases provides collective permissions

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Works as Designed
    • None
    • None
    • Security
    • None
    • ALL
    • Hide

      > db.auth("admin","adminPassword")
      > show databases
      admin 0.000GB
      main db 11.843GB
      anotherdatab 9.025GB
      anotherdata1 0.008GB
      local 0.000GB
      school 0.734GB
      test 0.000GB
      > use readonlydb
      switched to db readonlydb
      > db.auth("readonlyuser","readonlypass")
      1
      > show databases
      admin 0.000GB
      maindb 11.843GB
      anotherdatab 9.025GB
      anotherdata1 0.008GB
      local 0.000GB
      school 0.734GB
      test 0.000GB

      Show
      > db.auth("admin","adminPassword") > show databases admin 0.000GB main db 11.843GB anotherdatab 9.025GB anotherdata1 0.008GB local 0.000GB school 0.734GB test 0.000GB > use readonlydb switched to db readonlydb > db.auth("readonlyuser","readonlypass") 1 > show databases admin 0.000GB maindb 11.843GB anotherdatab 9.025GB anotherdata1 0.008GB local 0.000GB school 0.734GB test 0.000GB

    Description

      I have two users on Mongo DB 3.2.7, a user with root role and another user with read only role on the database. When I login as root then switch to read only user without exiting the shell, MongoDB allows me to run and execute root level commands even though I am logged in as the read only user. To reproduce the problem do the following.

      I logged in as the user with root access using

      use admin
      db.auth("rootUser","Password")
      run commands like show databases, show collections everything works find.

      Then without exiting the shell, I now logged in as the read only user

      use dbabc
      db.auth("readOnlyUser","Password")
      Now logged in as this user, I can drop, list db and perform all other root operation. I think this is very dangerous. I tried to reproduce the problem several times and it works.

      The only time the read only user works as expected is when I exit the shell then login again as the read only user. See the execution of commands below.

      Attachments

        Issue Links

          Activity

            People

              kelsey.schubert@mongodb.com Kelsey T Schubert
              sneceesay77 SC
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: