[SERVER-14194] Password logged in error message for db.system.users.insert Created: 06/Jun/14  Updated: 10/Dec/14  Resolved: 24/Jul/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.6.1
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Jonathan Abrahams Assignee: Andreas Nilsson
Resolution: Won't Fix Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Steps To Reproduce:

1. Enable auth on mongod
2. Mongo client
-Create admin user
-Authenticate with admin user
-Insert into system.users

Participants:

 Description   

The legacy method to create users, db.system.users.insert, can fail if the user does not have the proper access. In this case the password is exposed in both the mongod log and the error message propagated to the client:

> db.system.users.insert({user:'dbuser', pwd: 'pwd', roles: ['readWrite']});
 m27000| 2014-06-06T13:13:28.706-0400 [conn1] Unauthorized not authorized on admin to execute command { insert: "system.users", documents: [ { _id: ObjectId('5391f6b83cbc4b1dc741c821'), user: "dbuser", pwd: "pwd", roles: [ "readWrite" ] } ], ordered: true }
WriteResult({
	"writeError" : {
		"code" : 13,
		"errmsg" : "not authorized on admin to execute command { insert: \"system.users\", documents: [ { _id: ObjectId('5391f6b83cbc4b1dc741c821'), user: \"dbuser\", pwd: \"pwd\", roles: [ \"readWrite\" ] } ], ordered: true }"
	}
})



 Comments   
Comment by Daniel Pasette (Inactive) [ 06/Jun/14 ]

This is not a problem in practice because the password displayed will be unusable, plus, when running the createUser cmd, the authorization check should be upstream of the insertion.

Generated at Thu Feb 08 03:34:07 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.