Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-47429

authenticationMechanisms parameter is not validated

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor - P4
    • Resolution: Fixed
    • Affects Version/s: 4.2.3, 4.3.4
    • Fix Version/s: 4.2.7, 4.4.0-rc4, 4.7.0
    • Component/s: None
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Requested:
      v4.4, v4.2
    • Sprint:
      Security 2020-04-20, Security 2020-05-04

      Description

      If I start a server with authenticationMechanisms set to the empty string it fails:

       /usr/local/m/versions/4.2/mongod --dbpath /tmp/42 --setParameter authenticationMechanisms='' --auth 
      

      However if I supply a bogus value for the mechanisms the server seems to start just fine:

       /usr/local/m/versions/4.2/mongod --dbpath /tmp/42 --setParameter authenticationMechanisms='!' --auth 
      

      It even claims to have accepted ! for the mechanisms:

      2020-04-08T22:04:45.981-0400 I  CONTROL  [initandlisten] options: { security: { authorization: "enabled" }, setParameter: { authenticationMechanisms: "!" }, storage: { dbPath: "/tmp/42" } }
      

      This becomes a more significant issue when the mechanisms are valid but not for the version of the server that is being launched. For example, the following invocation tries to start 4.2 with the aws mechanism and succeeds (subsequently failing all aws auth authentication attempts):

      /usr/local/m/versions/4.2/mongod --dbpath /tmp/42 --setParameter authenticationMechanisms=SCRAM-SHA-1,SCRAM-SHA-256,MONGODB-AWS --auth 
      
      

      As a user of the server, I would like the server to validate authenticationMechanisms parameter when it starts so that I am informed when I requested mechanisms that the server does not support, so that I can efficiently remedy the misconfiguration.

        Attachments

          Activity

            People

            Assignee:
            mark.benvenuto Mark Benvenuto
            Reporter:
            oleg.pudeyev Oleg Pudeyev
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: