Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-3200

Once auth'ed for admin, this is kept for the duration of the shell even after switch to another user

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major - P3 Major - P3
    • None
    • 1.8.1
    • Admin
    • None
    • ALL

    Description

      Problem:
      After the user is auth'ed for the Admin DB, it appears that this authorization is kept for the duration of the shell. This allows a user that does not have access right to admin to obtain this privileges.

      Test Case:

      /* Correctly checks for admin rights */
      MongoDB shell version: 1.8.0
      connecting to: test
      > db.auth("thetest","xxx");
      1
      > use admin
      switched to db admin
      > show collections
      Sun Jun 5 12:47:59 uncaught exception: error: {
      "$err" : "unauthorized db:admin lock type:-1 client:127.0.0.1",
      "code" : 10057
      }

      /* Incorrectly checks for amin rights */
      MongoDB shell version: 1.8.0
      connecting to: test
      > use admin
      switched to db admin
      > db.auth("theadmin","yyy");
      1
      > show collections;
      system.indexes
      system.profile
      system.users
      > use test
      switched to db test
      > db.auth("thetest","xxx");
      1
      > use admin
      switched to db admin
      > show collections;
      system.indexes
      system.profile
      system.users

      Attachments

        Activity

          People

            Unassigned Unassigned
            alvin Alvin Richards (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: