[SERVER-12276] Don't allow non-admin users to have privileges outside of their db Created: 07/Jan/14  Updated: 10/Dec/14  Resolved: 07/Jan/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Jon Rangel (Inactive) Assignee: Unassigned
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Operating System: ALL
Participants:

 Description   

Noticed the following inconsistency while testing 2.6 user-defined roles.

When logged in as a user with userAdminAnyDatabase, it's not possible to create a role in a non-admin database that has privileges outside of that database (good). However, it is possible to create a user in a non-admin database that has privileges outside of that database (see below). This struck me as a little inconsistent. Is there a reason for this? Should it be fixed?

> use admin
switched to db admin
> db.auth("jon","password")
1
>
> use foo
switched to db foo
>
>
> db.createRole({role:"readinany", privileges:[{resource:{db:"", collection:""}, actions:["find"]}], roles:[]})
2013-12-03T17:56:48.579+0000 Error: Roles on the 'foo' database cannot be granted privileges that target other databases
 or the cluster at src/mongo/shell/db.js:1294
>
>
> db.createUser({user:"bob",pwd:"password",roles:[{role:"readWrite", db:"bar"}]})
Successfully added user: {
        "user" : "bob",
        "roles" : [
                {
                        "role" : "readWrite",
                        "db" : "bar"
                }
        ]
}
>



 Comments   
Comment by Andy Schwerin [ 07/Jan/14 ]

It is intentional that you can assign a user in one database roles from another. You simply cannot assign privileges targeting objects in one database to roles in another.

Generated at Thu Feb 08 03:28:05 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.