[SERVER-3773] It's possible to invoke certain admin operations remotely without authentication Created: 07/Sep/11 Updated: 11/Jul/16 Resolved: 30/Sep/11 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 1.9.0 |
| Fix Version/s: | 2.0.0, 2.1.0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Vishy Karra | Assignee: | Kristina Chodorow (Inactive) |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Operating System: | ALL | ||||||||
| Participants: | |||||||||
| Description |
|
It's possible to execute both db.shutdownServer() and rs.stepDown() without authenticating remotely even when authentication is enabled. |
| Comments |
| Comment by Kristina Chodorow (Inactive) [ 30/Sep/11 ] |
|
I just wanted to break getLastError out into its own commit because it affected db.js & a sharding test (and I wasn't sure if it would affect other files, too, but it seems to be limited to those). I figured it would keep the "simple" changes separate from the more far-reaching getLastError changes, which might make backporting easier (which turned out to be an academic concern anyway). |
| Comment by Dwight Merriman [ 30/Sep/11 ] |
|
curious what's the potential issue with getlasterror? |
| Comment by auto [ 30/Sep/11 ] |
|
Author: {u'login': u'kchodorow', u'name': u'Kristina', u'email': u'kristina@10gen.com'}Message: make getLastError require auth |
| Comment by auto [ 29/Sep/11 ] |
|
Author: {u'login': u'kchodorow', u'name': u'Kristina', u'email': u'kristina@10gen.com'}Message: more commands require authentication Not getLastError, for now, as it's a little more complicated. |
| Comment by Eliot Horowitz (Inactive) [ 07/Sep/11 ] |
|
Fixed shutdownServer (and general issue). |
| Comment by auto [ 07/Sep/11 ] |
|
Author: {u'login': u'erh', u'name': u'Eliot Horowitz', u'email': u'eliot@10gen.com'}Message: move authentication check earlier for safety |
| Comment by Kristina Chodorow (Inactive) [ 07/Sep/11 ] |
|
rs.stepDown() has already been fixed. db.shutdownServer() has not. |