[SERVER-19324] Restricted user, can see / modify in every database Created: 08/Jul/15  Updated: 03/Apr/23  Resolved: 08/Jul/15

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.0.4
Fix Version/s: None

Type: Bug Priority: Critical - P2
Reporter: Dennis Hoefakker Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

1. Create a user in a database (db.createUser(

{user: "youruser",pwd: "securepassword", roles: [ "read"]}

))
2. Connect to the database : mongo.exe -username youruser -password securepassword databasename
3. use databaseX
4. show collections

Sprint: Security 6 07/17/15
Participants:

 Description   

I'm running MongoDB 3.0, used the upgrade document (http://docs.mongodb.org/manual/release-notes/3.0-upgrade/) and upgraded the storage engine to WiredTiger.

I created a user in 1 of the databases with the read role.

When I connect to the database and select another database it gives me the "Authentication Failed" message. That is ok.

When i connect to the database i created the user in, it connects... But then i can : use <databaseX> and do a show collections. It displays everything from that database (where the user shouldn't have access to), i can even show and modify documents.

Is this a bug, or is there something missing in the migration manual?



 Comments   
Comment by Andreas Nilsson [ 08/Jul/15 ]

HoefMeistert thanks for your report (and your solution).

The authenticate command currently does not return any state info about the server. We will consider what options might be available to issue a warning.

Regards,
Andreas

Comment by Dennis Hoefakker [ 08/Jul/15 ]

issue can be closed... Was a misconfiguration which i had completly missed...

But maybe there can be some kind of information/messaging somewhere that you authenticate to a server which doesn't require authentication ?

Generated at Thu Feb 08 03:50:35 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.