[SERVER-24847] Authentication on multiple databases provides collective permissions Created: 30/Jun/16  Updated: 09/Sep/16  Resolved: 30/Jun/16

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: SC Assignee: Kelsey Schubert
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to DOCS-8620 Clarify that authentication on multip... Closed
Operating System: ALL
Steps To Reproduce:

> db.auth("admin","adminPassword")
> show databases
admin 0.000GB
main db 11.843GB
anotherdatab 9.025GB
anotherdata1 0.008GB
local 0.000GB
school 0.734GB
test 0.000GB
> use readonlydb
switched to db readonlydb
> db.auth("readonlyuser","readonlypass")
1
> show databases
admin 0.000GB
maindb 11.843GB
anotherdatab 9.025GB
anotherdata1 0.008GB
local 0.000GB
school 0.734GB
test 0.000GB

Participants:

 Description   

I have two users on Mongo DB 3.2.7, a user with root role and another user with read only role on the database. When I login as root then switch to read only user without exiting the shell, MongoDB allows me to run and execute root level commands even though I am logged in as the read only user. To reproduce the problem do the following.

I logged in as the user with root access using

use admin
db.auth("rootUser","Password")
run commands like show databases, show collections everything works find.

Then without exiting the shell, I now logged in as the read only user

use dbabc
db.auth("readOnlyUser","Password")
Now logged in as this user, I can drop, list db and perform all other root operation. I think this is very dangerous. I tried to reproduce the problem several times and it works.

The only time the read only user works as expected is when I exit the shell then login again as the read only user. See the execution of commands below.



 Comments   
Comment by Kelsey Schubert [ 17/Aug/16 ]

Hi sneceesay77,

To address some of your concerns, I've opened a ticket to improve our documentation around this behavior. Please feel free to vote for DOCS-8620 and watch it for updates.

Best regards,
Thomas

Comment by SC [ 30/Jun/16 ]

Hi Thomas,

Thank you for the reply, but is this behaviour safe?

What if someone runs db.coll.drop() on a production db thinking he was logged in as a limited user.

Thanks.
SC.

Comment by Kelsey Schubert [ 30/Jun/16 ]

Hi sneceesay77,

Thank you for the report. This is expected behavior. You can be logged in on different databases with several users concurrently in the shell. In this case, you will have the collective permissions of all authenticated users.

If you do not want to be authenticated on a particular database you can execute db.logout() on the same database.

Kind regards,
Thomas

Generated at Thu Feb 08 04:07:34 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.