Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-8286

getLastError replicatedTo leaks admin information to non-admin user

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major - P3 Major - P3
    • None
    • 2.3.2
    • Replication, Security
    • None
    • ALL

    Description

      In the process of creating tests for SERVER-4073 I created a user who had only access to test database, not auth access. This user is not allowed to run rs.status() command. However via a write followed by getlasterror he can access information about what replica nodes there are and their address.

      > rs.status()
      { "ok" : 0, "errmsg" : "unauthorized" }
      > db.c1.insert({}); db.runCommand({getlasterror:1, w:9, wtimeout:5000})
      {
      	"n" : 0,
      	"lastOp" : {
      		"t" : 1358901189000,
      		"i" : 1
      	},
      	"connectionId" : 13,
      	"wtimeout" : true,
      	"waited" : 5000,
      	"replicatedTo" : [
      		"10.5.1.168"
      	],
      	"err" : "timeout",
      	"ok" : 1
      }

      Attachments

        Activity

          People

            Unassigned Unassigned
            asya.kamsky@mongodb.com Asya Kamsky
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: