Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-47429

authenticationMechanisms parameter is not validated

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor - P4
    • Resolution: Fixed
    • 4.2.3, 4.3.4
    • 4.2.7, 4.4.0-rc4, 4.7.0
    • None
    • None
    • Fully Compatible
    • ALL
    • v4.4, v4.2
    • Security 2020-04-20, Security 2020-05-04

    Description

      If I start a server with authenticationMechanisms set to the empty string it fails:

       /usr/local/m/versions/4.2/mongod --dbpath /tmp/42 --setParameter authenticationMechanisms='' --auth 
      

      However if I supply a bogus value for the mechanisms the server seems to start just fine:

       /usr/local/m/versions/4.2/mongod --dbpath /tmp/42 --setParameter authenticationMechanisms='!' --auth 
      

      It even claims to have accepted ! for the mechanisms:

      2020-04-08T22:04:45.981-0400 I  CONTROL  [initandlisten] options: { security: { authorization: "enabled" }, setParameter: { authenticationMechanisms: "!" }, storage: { dbPath: "/tmp/42" } }
      

      This becomes a more significant issue when the mechanisms are valid but not for the version of the server that is being launched. For example, the following invocation tries to start 4.2 with the aws mechanism and succeeds (subsequently failing all aws auth authentication attempts):

      /usr/local/m/versions/4.2/mongod --dbpath /tmp/42 --setParameter authenticationMechanisms=SCRAM-SHA-1,SCRAM-SHA-256,MONGODB-AWS --auth 
      
      

      As a user of the server, I would like the server to validate authenticationMechanisms parameter when it starts so that I am informed when I requested mechanisms that the server does not support, so that I can efficiently remedy the misconfiguration.

      Attachments

        Activity

          People

            mark.benvenuto@mongodb.com Mark Benvenuto
            oleg.pudeyev@mongodb.com Oleg Pudeyev (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: