[SERVER-12036] db.createUser not filtered from ctrl+r history search Created: 11/Dec/13  Updated: 13/Jan/14  Resolved: 06/Jan/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.5.4
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: John Morales Assignee: Andreas Nilsson
Resolution: Cannot Reproduce Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

OS X 10.8.4
MongoDB 2.5.4 community edition


Operating System: ALL
Steps To Reproduce:

1.) Start up 2.5.4 with a --keyFile /path/to/key.file
2.) use admin
3.) db.createUser({user:"[user]",pwd:"[pw]", roles:[

{role:"root",db:"admin"}

]})
4.) ctrl-d (logout)
5.) shell in again
6.) [ctrl+r] -> 'create'

Participants:

 Description   

While testing the clusterMonitor permission, I noticed the mongo shell was not filtering out my prior db.createUser(...) command.

[john@John-Morales-MacBook-Pro mongodb-osx-x86_64-2.5.4]$ ./bin/mongo --port 55000
MongoDB shell version: 2.5.4
connecting to: 127.0.0.1:55000/test
Error while trying to show server startup warnings: not authorized on admin to execute command { getLog: "startupWarnings" }
(reverse-i-search)`create': db.createUser({user:"[user]",pwd:"[pw]", roles:[{role:"root",db:"admin"}]})



 Comments   
Comment by John Morales [ 06/Jan/14 ]

Drat, my mistake.

I searched back through my console history, and what happened is I had incorrectly shell'ed into my 2.5.4 mongod using an older 2.4.8 mongo shell that was currently on my $PATH. And because it was 2.4.8, db.createUser wasn't filtered from my history (and of course the command failed, which I forgot about). Later on when I shelled into 2.5.4 server using the actual 2.5.4 mongo shell and performed another db.createUser(), the command appeared in my history search, leading me to believe it wasn't filtered.

Generated at Thu Feb 08 03:27:25 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.