[SERVER-12621] Reduce localhost exception permissions Created: 05/Feb/14 Updated: 27/Oct/15 Resolved: 23/May/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.5.5 |
| Fix Version/s: | 2.7.1 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Andreas Nilsson | Assignee: | Amalia Hawkins |
| Resolution: | Done | Votes: | 0 |
| Labels: | 26qa | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||||||||||||||||||
| Description |
|
Currently the localhost exception gives full privileges to all operations and commands. The purpose is only to create the first admin DB user. Hence it would make sense to limit the localhost exception exposure to give the createUser action type on the admin DB, or possibly the UserAdmin role id that is preferable from an implementation perspective. |
| Comments |
| Comment by Githook User [ 23/May/14 ] |
|
Author: {u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}Message: |
| Comment by Githook User [ 23/May/14 ] |
|
Author: {u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}Message: |
| Comment by Spencer Brody (Inactive) [ 23/Apr/14 ] |
|
|
| Comment by Amalia Hawkins [ 22/Apr/14 ] |
|
Switched to "Driver changes needed" because while the drivers themselves will not have to change, this will likely break a lot of their auth tests. (We tend to do a lot of "setup" on --auth databases without creating a user first, which will no longer work.) |