[SERVER-3773] It's possible to invoke certain admin operations remotely without authentication Created: 07/Sep/11  Updated: 11/Jul/16  Resolved: 30/Sep/11

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 1.9.0
Fix Version/s: 2.0.0, 2.1.0

Type: Bug Priority: Major - P3
Reporter: Vishy Karra Assignee: Kristina Chodorow (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to DOCS-181 Mention more commands require auth in... Closed
Operating System: ALL
Participants:

 Description   

It's possible to execute both db.shutdownServer() and rs.stepDown() without authenticating remotely even when authentication is enabled.



 Comments   
Comment by Kristina Chodorow (Inactive) [ 30/Sep/11 ]

I just wanted to break getLastError out into its own commit because it affected db.js & a sharding test (and I wasn't sure if it would affect other files, too, but it seems to be limited to those). I figured it would keep the "simple" changes separate from the more far-reaching getLastError changes, which might make backporting easier (which turned out to be an academic concern anyway).

Comment by Dwight Merriman [ 30/Sep/11 ]

curious what's the potential issue with getlasterror?

Comment by auto [ 30/Sep/11 ]

Author:

{u'login': u'kchodorow', u'name': u'Kristina', u'email': u'kristina@10gen.com'}

Message: make getLastError require auth SERVER-3773
Branch: master
https://github.com/mongodb/mongo/commit/a5cfd6af349660c81aa4d51400aa525423bffc18

Comment by auto [ 29/Sep/11 ]

Author:

{u'login': u'kchodorow', u'name': u'Kristina', u'email': u'kristina@10gen.com'}

Message: more commands require authentication SERVER-3773

Not getLastError, for now, as it's a little more complicated.
Branch: master
https://github.com/mongodb/mongo/commit/991bfa6eae1d63ccc4a78901bca5ebea7645c251

Comment by Eliot Horowitz (Inactive) [ 07/Sep/11 ]

Fixed shutdownServer (and general issue).
Leaving open so we check all comamnds have requiresAdmin set correctly

Comment by auto [ 07/Sep/11 ]

Author:

{u'login': u'erh', u'name': u'Eliot Horowitz', u'email': u'eliot@10gen.com'}

Message: move authentication check earlier for safety SERVER-3773
Branch: master
https://github.com/mongodb/mongo/commit/a881aacb3d9a5032403ad45362f35bc9c640affa

Comment by Kristina Chodorow (Inactive) [ 07/Sep/11 ]

rs.stepDown() has already been fixed. db.shutdownServer() has not.

Generated at Thu Feb 08 03:04:00 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.