Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-38545

Inconsistency between different roles when inserting to system.js with bypassDocumentValidation=true

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Works as Designed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Operating System:
      ALL
    • Steps To Reproduce:
      Hide
      1. Create two users: one with role restore, one with role readWriteAnyDatabase.
      2. Attempt to run an insert on system.js with bypassDocumentValidation=true on each user
      3. If auth is enabled, one should succeed, and the other will fail.

      > db.createUser({user: "ted", pwd: "ted", roles: [{role: "root", db: "admin"}]})
      Successfully added user: {
              "user" : "ted",
              "roles" : [
                      {
                              "role" : "root",
                              "db" : "admin"
                      }
              ]
      }
      > db.auth("ted", "ted")
      1
      > db.createUser({user: "dave", pwd: "dave", roles: [{role: "restore", db: "admin"}]})db.createUser({user: "pj", pwd: "pj", roles: [{role: "readWriteAnyDatabase", db: "admin"}]})Successfully added user: {
              "user" : "dave",
              "roles" : [
                      {
                              "role" : "restore",
                              "db" : "admin"
                      }
              ]
      }
      > 
      dbdb.createUser({user: "pj", pwd: "pj", roles: [{role: "readWriteAnyDatabase", db: "admin"}]})
      Successfully added user: {
              "user" : "pj",
              "roles" : [
                      {
                              "role" : "readWriteAnyDatabase",
                              "db" : "admin"
                      }
              ]
      }
      > db.auth("dave","dave")
      1
      > use test
      switched to db test
      > db.runCommand({insert:"system.js", documents:[{_id:"func2", value:function(k){return k;}}], bypassDocumentValidation: true})
      { "n" : 1, "ok" : 1 }
      > use admin
      switched to db admin
      > db.auth("pj","pj")
      1
      > use test
      switched to db test
      > db.runCommand({insert:"system.js", documents:[{_id:"func3", value:function(k){return k;}}], bypassDocumentValidation: true})
      {
              "ok" : 0,
              "errmsg" : "not authorized on test to execute command { insert: \"system.js\", bypassDocumentValidation: true, lsid: { id: UUID(\"993eb0b0-3859-4113-9829-03cdbd30db3d\") }, $db: \"test\" }",
              "code" : 13,
              "codeName" : "Unauthorized"
      }
      
      

      Show
      Create two users: one with role restore, one with role readWriteAnyDatabase. Attempt to run an insert on system.js with bypassDocumentValidation=true on each user If auth is enabled, one should succeed, and the other will fail. > db.createUser({user: "ted" , pwd: "ted" , roles: [{role: "root" , db: "admin" }]}) Successfully added user: { "user" : "ted" , "roles" : [ { "role" : "root" , "db" : "admin" } ] } > db.auth( "ted" , "ted" ) 1 > db.createUser({user: "dave" , pwd: "dave" , roles: [{role: "restore" , db: "admin" }]})db.createUser({user: "pj" , pwd: "pj" , roles: [{role: "readWriteAnyDatabase" , db: "admin" }]})Successfully added user: { "user" : "dave" , "roles" : [ { "role" : "restore" , "db" : "admin" } ] } > dbdb.createUser({user: "pj" , pwd: "pj" , roles: [{role: "readWriteAnyDatabase" , db: "admin" }]}) Successfully added user: { "user" : "pj" , "roles" : [ { "role" : "readWriteAnyDatabase" , "db" : "admin" } ] } > db.auth( "dave" , "dave" ) 1 > use test switched to db test > db.runCommand({insert: "system.js" , documents:[{_id: "func2" , value:function(k){ return k;}}], bypassDocumentValidation: true }) { "n" : 1 , "ok" : 1 } > use admin switched to db admin > db.auth( "pj" , "pj" ) 1 > use test switched to db test > db.runCommand({insert: "system.js" , documents:[{_id: "func3" , value:function(k){ return k;}}], bypassDocumentValidation: true }) { "ok" : 0 , "errmsg" : "not authorized on test to execute command { insert: \"system.js\", bypassDocumentValidation: true, lsid: { id: UUID(\"993eb0b0-3859-4113-9829-03cdbd30db3d\") }, $db: \"test\" }" , "code" : 13 , "codeName" : "Unauthorized" }
    • Sprint:
      Security 2018-12-31

      Description

      With different roles it is possible to either insert to system.js with bypassDocumentValidation=true or get an auth error. If a user with restore inserts it is fine, but readWrite fails. The reason for closing the linked ticket (original report and description of this bug) does not address the inconsistency.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jonathan.reams Jonathan Reams
              Reporter:
              ted.tuckman Ted Tuckman
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: