Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Duplicate
Priority: Major - P3
Fix Version/s: None
Affects Version/s: 2.2.4, 2.4.3
Component/s: Security, Usability
Labels:
None
Environment:
standalone MongoDB 2.4.3 Windows 2008R2+ build on Windows 7

Operating System:
ALL
Steps To Reproduce:
Hide

Start mongod with --auth. From the shell

use admin db.addUser("admin","admin") db.auth("admin","admin") use rt db.addUser("rt","rt") use admin db.logout() use rt db.auth("rt","rt") db.foo.insert({bar:1})

If you now run

db.runCommand({renameCollection:"rt.foo", to:"rt.bar"})

it fails with

{ "ok" : 0, "errmsg" : "access denied; use admin db" }

if you now do

use admin db.runCommand({renameCollection:"rt.foo", to:"rt.bar"}

the rename succeed even without authenticating using admin credentials.
Show
Start mongod with --auth. From the shell use admin db.addUser( "admin" , "admin" ) db.auth( "admin" , "admin" ) use rt db.addUser( "rt" , "rt" ) use admin db.logout() use rt db.auth( "rt" , "rt" ) db.foo.insert({bar:1}) If you now run db.runCommand({renameCollection: "rt.foo" , to: "rt.bar" }) it fails with { "ok" : 0, "errmsg" : "access denied; use admin db" } if you now do use admin db.runCommand({renameCollection: "rt.foo" , to: "rt.bar" } the rename succeed even without authenticating using admin credentials.

renameCollection is an admin only command. When auth is turned on you can rename a collection within the same db even without authentication using the admin user credentials.

duplicates

SERVER-11085 renameCollection must be run on the admin database on mongod but can be run on any database through mongos

Closed

Assignee:: Spencer Brody (Inactive)

Reporter:: Sridhar Nanjundeswaran

Participants:: Spencer Brody, Sridhar Nanjundeswaran

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: Apr 25 2013 08:28:35 PM UTC

Updated:: Dec 10 2014 11:07:10 PM UTC

Resolved:: Oct 25 2013 07:37:07 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates