[SERVER-24847] Authentication on multiple databases provides collective permissions Created: 30/Jun/16 Updated: 09/Sep/16 Resolved: 30/Jun/16 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | SC | Assignee: | Kelsey Schubert |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Operating System: | ALL | ||||||||
| Steps To Reproduce: | > db.auth("admin","adminPassword") |
||||||||
| Participants: | |||||||||
| Description |
|
I have two users on Mongo DB 3.2.7, a user with root role and another user with read only role on the database. When I login as root then switch to read only user without exiting the shell, MongoDB allows me to run and execute root level commands even though I am logged in as the read only user. To reproduce the problem do the following. I logged in as the user with root access using use admin Then without exiting the shell, I now logged in as the read only user use dbabc The only time the read only user works as expected is when I exit the shell then login again as the read only user. See the execution of commands below. |
| Comments |
| Comment by Kelsey Schubert [ 17/Aug/16 ] |
|
Hi sneceesay77, To address some of your concerns, I've opened a ticket to improve our documentation around this behavior. Please feel free to vote for Best regards, |
| Comment by SC [ 30/Jun/16 ] |
|
Hi Thomas, Thank you for the reply, but is this behaviour safe? What if someone runs db.coll.drop() on a production db thinking he was logged in as a limited user. Thanks. |
| Comment by Kelsey Schubert [ 30/Jun/16 ] |
|
Hi sneceesay77, Thank you for the report. This is expected behavior. You can be logged in on different databases with several users concurrently in the shell. In this case, you will have the collective permissions of all authenticated users. If you do not want to be authenticated on a particular database you can execute db.logout() on the same database. Kind regards, |