Details
-
Bug
-
Resolution: Done
-
Major - P3
-
None
-
1.8.1
-
None
-
ALL
Description
Problem:
After the user is auth'ed for the Admin DB, it appears that this authorization is kept for the duration of the shell. This allows a user that does not have access right to admin to obtain this privileges.
Test Case:
/* Correctly checks for admin rights */
MongoDB shell version: 1.8.0
connecting to: test
> db.auth("thetest","xxx");
1
> use admin
switched to db admin
> show collections
Sun Jun 5 12:47:59 uncaught exception: error: {
"$err" : "unauthorized db:admin lock type:-1 client:127.0.0.1",
"code" : 10057
}
/* Incorrectly checks for amin rights */
MongoDB shell version: 1.8.0
connecting to: test
> use admin
switched to db admin
> db.auth("theadmin","yyy");
1
> show collections;
system.indexes
system.profile
system.users
> use test
switched to db test
> db.auth("thetest","xxx");
1
> use admin
switched to db admin
> show collections;
system.indexes
system.profile
system.users