[SERVER-4692] Read-only users should be denied access to system.users collection - MongoDB Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical - P2
Resolution: Fixed
Affects Version/s: 2.0.2
Fix Version/s: 2.1.1
Component/s: Security
Labels:
- security

Backwards Compatibility:
Minor Change
Operating System:
ALL

Description

Original Title: system.users collection placement allows offline dictionary attack for read-only users

When using authentication with mongodb, users with read-write permissions have their password hashes stored in system.users. Read-only users can read these hashes. This permits read-only users to read the password hashes of read/write users and perform an offline dictionary attack in order to escalate their privileges.

Attachments

Issue Links

is related to

SERVER-7604 On MongoS read-only users should be denied access to system.users collection

Closed

SERVER-9009 mongodump fails when run by a read-only user

Closed

TOOLS-134 Mongodump and mongoexport should skip collections they don't have read access to

Closed

related to

SERVER-6031 read only user can get write priority

Closed

Activity

People

Assignee:: Mathias Stearn

Reporter:: Nathaniel McCallum

Participants:: auto, Eliot Horowitz, Mathias Stearn, Nathaniel McCallum

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: Jan 16 2012 07:25:43 PM UTC

Updated:: Oct 30 2015 02:45:17 PM UTC

Resolved:: Mar 09 2012 12:51:44 AM UTC