[SERVER-28356] Disallow writes to oplog from all builtin roles Created: 16/Mar/17  Updated: 06/Dec/22  Resolved: 26/Oct/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: William Schultz (Inactive) Assignee: Backlog - Security Team
Resolution: Won't Fix Votes: 0
Labels: platforms_security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by SERVER-26829 Oplog usable as output of mapreduce Closed
Related
related to SERVER-29826 Prevent user writes to internal repli... Closed
Assigned Teams:
Server Security
Operating System: ALL
Sprint: Security 2018-10-08, Security 2018-10-22
Participants:

 Description   

A normal user who has write access to the "local" database is currently not disallowed from writing arbitrary data to the oplog. We should discuss more stringent rules about when (if ever) to allow these kinds of arbitrary oplog writes.



 Comments   
Comment by Gregory McKeon (Inactive) [ 26/Oct/18 ]

spencer.jackson jonathan.reams should this be closed won't fix?

Comment by Jonathan Reams [ 26/Oct/18 ]

We talked about this in sprint planning and decided that we don't actually want to do this. In the past being able to write to the oplog has been useful for support, and we don't want to completely remove that ability. Restricting access to the oplog collection with a builtin role doesn't require any major changes to the auth subsystem, and we can think about doing that, but if a user has been given write access to the oplog collection then we've decided they should be able to write to it.

Comment by Gregory McKeon (Inactive) [ 24/Jul/18 ]

spencer.jackson if you're picking this up, would it be significant extra work to pick up SERVER-29826 as well?

Comment by Spencer Jackson [ 04/May/17 ]

I thought about this and asked around. This seems like a reasonable request.

Generated at Thu Feb 08 04:17:54 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.