Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-60370

Change the name of collection will result in wrong authorization of database collection access.

    • Type: Icon: Bug Bug
    • Resolution: Works as Designed
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 5.0.0
    • Component/s: None
    • None
    • Environment:
      MongoDB server version: 5.0
      CentOS Linux release 7.6.1810 (Core)
    • ALL
    • Hide

      As dbOwner of database1:

      1.
      use database1
      db.t1.insertMany([
       

      { name: 't1', email: '[t1table@example.com|mailto:t1table@example.com]' }

      ,
       

      { name: 'lexas', email: '[lexas@example.com|mailto:lexas@example.com]' }

      ])

      db.t2.insertMany([
       

      { name: 't2', email: '[t2table@example.com|mailto:t2table@example.com]' }

      ,
       

      { name: 'linsay', email: '[linsay@example.com|mailto:linsay@example.com]' }

      ])

      db.createRole(
         {
           role: "t1Read",
           privileges: [
             

      {          resource: \{ db: "database1", collection: "t1" }

      , actions: [ "find"]
             }
           ],
           roles: []
         }
      )

      db.createRole(
         {
           role: "t2Read",
           privileges: [
             

      {          resource: \{ db: "database1", collection: "t2" }

      , actions: [ "find"]
             }
           ],
           roles: []
         }
      )

      db.createUser(

      {    user:"usr1",    pwd:"123456",    roles:[\{role:"t1Read",db:"database1"}

      ]
      })

      db.createUser(

      {    user:"usr2",    pwd:"123456",    roles:[\{role:"t2Read",db:"database1"}

      ]
      })

      2.
      Login as usr1:
      test> use database1
      switched to db database1
      database1> db.t1.find({})
      [
       

      {     _id: ObjectId("6155864d0133ab8df9f21ceb"),     name: 't1',     email: '[t1table@example.com|mailto:t1table@example.com]'   }

      ,
       

      {     _id: ObjectId("6155864d0133ab8df9f21cec"),     name: 'lexas',     email: '[lexas@example.com|mailto:lexas@example.com]'   }

      ]
      database1> db.t2.find({})
      MongoServerError: not authorized on database1 to execute command { find: "t2", filter: {}, lsid: { id: UUID("a4aad0fe-9183-45af-a240-713c79eba1cc") }, $db: "database1" }

      3.
      As dbOwner of database1:
      use database1
      database1> db.t1.renameCollection('t3');
      database1> db.t2.renameCollection('t1');
      database1> db.t3.renameCollection('t2');

      4.Login as usr1:
      database1> db.t1.find({})
      [
       

      {     _id: ObjectId("615586580133ab8df9f21ced"),     name: 't2',     email: '[t2table@example.com|mailto:t2table@example.com]'   }

      ,
       

      {     _id: ObjectId("615586580133ab8df9f21cee"),     name: 'linsay',     email: '[linsay@example.com|mailto:linsay@example.com]'   }

      ]
      database1> db.t2.find({})
      MongoServerError: not authorized on database1 to execute command { find: "t2", filter: {}, lsid: { id: UUID("a4aad0fe-9183-45af-a240-713c79eba1cc") }, $db: "database1" }

      As you can see, after renaming the collections, usr1 actually get the data from the collection t2, which he's not supposed to be able to read.

      Show
      As dbOwner of database1: 1. use database1 db.t1.insertMany([   { name: 't1', email: '[t1table@example.com|mailto:t1table@example.com]' } ,   { name: 'lexas', email: '[lexas@example.com|mailto:lexas@example.com]' } ]) db.t2.insertMany([   { name: 't2', email: '[t2table@example.com|mailto:t2table@example.com]' } ,   { name: 'linsay', email: '[linsay@example.com|mailto:linsay@example.com]' } ]) db.createRole(    {      role: "t1Read",      privileges: [         {          resource: \{ db: "database1", collection: "t1" } , actions: [ "find"]        }      ],      roles: []    } ) db.createRole(    {      role: "t2Read",      privileges: [         {          resource: \{ db: "database1", collection: "t2" } , actions: [ "find"]        }      ],      roles: []    } ) db.createUser( {    user:"usr1",    pwd:"123456",    roles:[\{role:"t1Read",db:"database1"} ] }) db.createUser( {    user:"usr2",    pwd:"123456",    roles:[\{role:"t2Read",db:"database1"} ] }) 2. Login as usr1: test> use database1 switched to db database1 database1> db.t1.find({}) [   {     _id: ObjectId("6155864d0133ab8df9f21ceb"),     name: 't1',     email: '[t1table@example.com|mailto:t1table@example.com]'   } ,   {     _id: ObjectId("6155864d0133ab8df9f21cec"),     name: 'lexas',     email: '[lexas@example.com|mailto:lexas@example.com]'   } ] database1> db.t2.find({}) MongoServerError: not authorized on database1 to execute command { find: "t2", filter: {}, lsid: { id: UUID("a4aad0fe-9183-45af-a240-713c79eba1cc") }, $db: "database1" } 3. As dbOwner of database1: use database1 database1> db.t1.renameCollection('t3'); database1> db.t2.renameCollection('t1'); database1> db.t3.renameCollection('t2'); 4.Login as usr1: database1> db.t1.find({}) [   {     _id: ObjectId("615586580133ab8df9f21ced"),     name: 't2',     email: '[t2table@example.com|mailto:t2table@example.com]'   } ,   {     _id: ObjectId("615586580133ab8df9f21cee"),     name: 'linsay',     email: '[linsay@example.com|mailto:linsay@example.com]'   } ] database1> db.t2.find({}) MongoServerError: not authorized on database1 to execute command { find: "t2", filter: {}, lsid: { id: UUID("a4aad0fe-9183-45af-a240-713c79eba1cc") }, $db: "database1" } As you can see, after renaming the collections, usr1 actually get the data from the collection t2, which he's not supposed to be able to read.

      I would like to report a security issue on mongoDB privilege and role management.
      When the database administrator changes a collection's name, the role's privilege relevant to corresponding collection doesn't reflect the change and gives users ability to get the data from collections they are not supposed to read.

       

      Company name: BEIJING DBSEC TECHNOLOGY CO., LTD.
      Personal name: Eddie Zhu
      Web site: www.dbsec.cn

            Assignee:
            edwin.zhou@mongodb.com Edwin Zhou
            Reporter:
            zhuqiangtj@gmail.com Zhu Eddie
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: