Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-8540

Unauthorized users allowed to read system.profile collection

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.4.0-rc1
    • Affects Version/s: 2.4.0-rc0
    • Component/s: Security
    • Labels:
      None
    • ALL

      To reproduce:

      adminDb = db.getSiblingDB("admin")
testDb = db.getSiblingDB("testdb")
adminDb.addUser({user:'admin',pwd:'password',roles:['userAdminAnyDatabase','dbAdminAnyDatabase', 'readWriteAnyDatabase']})
adminDb.auth('admin','password')
testDb.addUser({user:'readUser',pwd:'password',roles:['read']})
testDb.setProfilingLevel(2)
adminDb.logout()
testDb.auth('readUser','password')
testDb.system.profile.find() // succeeds

      Culprit in AuthorizationManager::_modifyPrivilegeForSpecialCases:

              } else if (collectionName == "system.profle" && newActions.contains(ActionType::find)) {

            Assignee:
            spencer@mongodb.com Spencer Brody (Inactive)
            Reporter:
            rassi J Rassi
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: