[SERVER-28356] Disallow writes to oplog from all builtin roles Created: 16/Mar/17 Updated: 06/Dec/22 Resolved: 26/Oct/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | William Schultz (Inactive) | Assignee: | Backlog - Security Team |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | platforms_security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Assigned Teams: |
Server Security
|
||||||||||||||||
| Operating System: | ALL | ||||||||||||||||
| Sprint: | Security 2018-10-08, Security 2018-10-22 | ||||||||||||||||
| Participants: | |||||||||||||||||
| Description |
|
A normal user who has write access to the "local" database is currently not disallowed from writing arbitrary data to the oplog. We should discuss more stringent rules about when (if ever) to allow these kinds of arbitrary oplog writes. |
| Comments |
| Comment by Gregory McKeon (Inactive) [ 26/Oct/18 ] |
|
spencer.jackson jonathan.reams should this be closed won't fix? |
| Comment by Jonathan Reams [ 26/Oct/18 ] |
|
We talked about this in sprint planning and decided that we don't actually want to do this. In the past being able to write to the oplog has been useful for support, and we don't want to completely remove that ability. Restricting access to the oplog collection with a builtin role doesn't require any major changes to the auth subsystem, and we can think about doing that, but if a user has been given write access to the oplog collection then we've decided they should be able to write to it. |
| Comment by Gregory McKeon (Inactive) [ 24/Jul/18 ] |
|
spencer.jackson if you're picking this up, would it be significant extra work to pick up |
| Comment by Spencer Jackson [ 04/May/17 ] |
|
I thought about this and asked around. This seems like a reasonable request. |