[SERVER-12713] Redact db.changeUserPassword() from shell command history Created: 13/Feb/14 Updated: 10/Dec/14 Resolved: 18/Feb/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security, Shell |
| Affects Version/s: | 2.4.9 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Trivial - P5 |
| Reporter: | Jeffery Schnick | Assignee: | Unassigned |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Operating System: | ALL | ||||||||
| Steps To Reproduce: | [root@localhost ~]# mongo admin -u thisguy -p oldpassword --port 27001
|
||||||||
| Participants: | |||||||||
| Description |
|
The db.changeUserPassword() is in history. Any user that can connect to the mongo shell can use the uparrow to see the changed password in plain text. Workaround: db.system.users.update( { "pwd" : "' + hashedoldpassword + '"}, { $set: { "pwd" : "' + hashednewpassword + '"}} ) |
| Comments |
| Comment by Daniel Pasette (Inactive) [ 18/Feb/14 ] |
|
fixed in 2.5.1: |
| Comment by James Wahlin [ 13/Feb/14 ] |
|
Hi Jeffery, This is a valid feature request. I do want to point out though that the shell will write history to a local file called ".dbshell". If the shell can derive a user directory it will write this under that directory, if not it will write to the current directory. If you have a standard user that people log in under one workaround is to create this file yourself and restrict writing to it for that user. The shell will still launch and be usable but it will not be able to write history. Cheers, |