Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-24847

Authentication on multiple databases provides collective permissions

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: Security
    • None
    • ALL
    • Hide

      > db.auth("admin","adminPassword")
      > show databases
      admin 0.000GB
      main db 11.843GB
      anotherdatab 9.025GB
      anotherdata1 0.008GB
      local 0.000GB
      school 0.734GB
      test 0.000GB
      > use readonlydb
      switched to db readonlydb
      > db.auth("readonlyuser","readonlypass")
      1
      > show databases
      admin 0.000GB
      maindb 11.843GB
      anotherdatab 9.025GB
      anotherdata1 0.008GB
      local 0.000GB
      school 0.734GB
      test 0.000GB

      Show
      > db.auth("admin","adminPassword") > show databases admin 0.000GB main db 11.843GB anotherdatab 9.025GB anotherdata1 0.008GB local 0.000GB school 0.734GB test 0.000GB > use readonlydb switched to db readonlydb > db.auth("readonlyuser","readonlypass") 1 > show databases admin 0.000GB maindb 11.843GB anotherdatab 9.025GB anotherdata1 0.008GB local 0.000GB school 0.734GB test 0.000GB

      I have two users on Mongo DB 3.2.7, a user with root role and another user with read only role on the database. When I login as root then switch to read only user without exiting the shell, MongoDB allows me to run and execute root level commands even though I am logged in as the read only user. To reproduce the problem do the following.

      I logged in as the user with root access using

      use admin
      db.auth("rootUser","Password")
      run commands like show databases, show collections everything works find.

      Then without exiting the shell, I now logged in as the read only user

      use dbabc
      db.auth("readOnlyUser","Password")
      Now logged in as this user, I can drop, list db and perform all other root operation. I think this is very dangerous. I tried to reproduce the problem several times and it works.

      The only time the read only user works as expected is when I exit the shell then login again as the read only user. See the execution of commands below.

            Assignee:
            kelsey.schubert@mongodb.com Kelsey Schubert
            Reporter:
            sneceesay77 SC
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: