[SERVER-3200] Once auth'ed for admin, this is kept for the duration of the shell even after switch to another user Created: 05/Jun/11  Updated: 29/Aug/11  Resolved: 22/Jun/11

Status: Closed
Project: Core Server
Component/s: Admin
Affects Version/s: 1.8.1
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Alvin Richards (Inactive) Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Operating System: ALL
Participants:

 Description   

Problem:
After the user is auth'ed for the Admin DB, it appears that this authorization is kept for the duration of the shell. This allows a user that does not have access right to admin to obtain this privileges.

Test Case:

/* Correctly checks for admin rights */
MongoDB shell version: 1.8.0
connecting to: test
> db.auth("thetest","xxx");
1
> use admin
switched to db admin
> show collections
Sun Jun 5 12:47:59 uncaught exception: error: {
"$err" : "unauthorized db:admin lock type:-1 client:127.0.0.1",
"code" : 10057
}

/* Incorrectly checks for amin rights */
MongoDB shell version: 1.8.0
connecting to: test
> use admin
switched to db admin
> db.auth("theadmin","yyy");
1
> show collections;
system.indexes
system.profile
system.users
> use test
switched to db test
> db.auth("thetest","xxx");
1
> use admin
switched to db admin
> show collections;
system.indexes
system.profile
system.users



 Comments   
Comment by Eliot Horowitz (Inactive) [ 22/Jun/11 ]

Login is per db.
So when you switch dbs you don't logout of the first db.

Generated at Thu Feb 08 03:02:23 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.