Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-38545

Inconsistency between different roles when inserting to system.js with bypassDocumentValidation=true

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Works as Designed
    • Icon: Major - P3 Major - P3
    • None
    • None
    • None
    • None
    • ALL
    • Hide
      1. Create two users: one with role restore, one with role readWriteAnyDatabase.
      2. Attempt to run an insert on system.js with bypassDocumentValidation=true on each user
      3. If auth is enabled, one should succeed, and the other will fail.

      > db.createUser({user: "ted", pwd: "ted", roles: [{role: "root", db: "admin"}]})
      Successfully added user: {
              "user" : "ted",
              "roles" : [
                      {
                              "role" : "root",
                              "db" : "admin"
                      }
              ]
      }
      > db.auth("ted", "ted")
      1
      > db.createUser({user: "dave", pwd: "dave", roles: [{role: "restore", db: "admin"}]})db.createUser({user: "pj", pwd: "pj", roles: [{role: "readWriteAnyDatabase", db: "admin"}]})Successfully added user: {
              "user" : "dave",
              "roles" : [
                      {
                              "role" : "restore",
                              "db" : "admin"
                      }
              ]
      }
      > 
      dbdb.createUser({user: "pj", pwd: "pj", roles: [{role: "readWriteAnyDatabase", db: "admin"}]})
      Successfully added user: {
              "user" : "pj",
              "roles" : [
                      {
                              "role" : "readWriteAnyDatabase",
                              "db" : "admin"
                      }
              ]
      }
      > db.auth("dave","dave")
      1
      > use test
      switched to db test
      > db.runCommand({insert:"system.js", documents:[{_id:"func2", value:function(k){return k;}}], bypassDocumentValidation: true})
      { "n" : 1, "ok" : 1 }
      > use admin
      switched to db admin
      > db.auth("pj","pj")
      1
      > use test
      switched to db test
      > db.runCommand({insert:"system.js", documents:[{_id:"func3", value:function(k){return k;}}], bypassDocumentValidation: true})
      {
              "ok" : 0,
              "errmsg" : "not authorized on test to execute command { insert: \"system.js\", bypassDocumentValidation: true, lsid: { id: UUID(\"993eb0b0-3859-4113-9829-03cdbd30db3d\") }, $db: \"test\" }",
              "code" : 13,
              "codeName" : "Unauthorized"
      }
      
      

      Show
      Create two users: one with role restore, one with role readWriteAnyDatabase. Attempt to run an insert on system.js with bypassDocumentValidation=true on each user If auth is enabled, one should succeed, and the other will fail. > db.createUser({user: "ted" , pwd: "ted" , roles: [{role: "root" , db: "admin" }]}) Successfully added user: { "user" : "ted" , "roles" : [ { "role" : "root" , "db" : "admin" } ] } > db.auth( "ted" , "ted" ) 1 > db.createUser({user: "dave" , pwd: "dave" , roles: [{role: "restore" , db: "admin" }]})db.createUser({user: "pj" , pwd: "pj" , roles: [{role: "readWriteAnyDatabase" , db: "admin" }]})Successfully added user: { "user" : "dave" , "roles" : [ { "role" : "restore" , "db" : "admin" } ] } > dbdb.createUser({user: "pj" , pwd: "pj" , roles: [{role: "readWriteAnyDatabase" , db: "admin" }]}) Successfully added user: { "user" : "pj" , "roles" : [ { "role" : "readWriteAnyDatabase" , "db" : "admin" } ] } > db.auth( "dave" , "dave" ) 1 > use test switched to db test > db.runCommand({insert: "system.js" , documents:[{_id: "func2" , value:function(k){ return k;}}], bypassDocumentValidation: true }) { "n" : 1 , "ok" : 1 } > use admin switched to db admin > db.auth( "pj" , "pj" ) 1 > use test switched to db test > db.runCommand({insert: "system.js" , documents:[{_id: "func3" , value:function(k){ return k;}}], bypassDocumentValidation: true }) { "ok" : 0 , "errmsg" : "not authorized on test to execute command { insert: \"system.js\", bypassDocumentValidation: true, lsid: { id: UUID(\"993eb0b0-3859-4113-9829-03cdbd30db3d\") }, $db: \"test\" }" , "code" : 13 , "codeName" : "Unauthorized" }
    • Security 2018-12-31

    Description

      With different roles it is possible to either insert to system.js with bypassDocumentValidation=true or get an auth error. If a user with restore inserts it is fine, but readWrite fails. The reason for closing the linked ticket (original report and description of this bug) does not address the inconsistency.

      Attachments

        Activity

          People

            jonathan.reams@mongodb.com Jonathan Reams
            ted.tuckman@mongodb.com Ted Tuckman
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: