[SERVER-38545] Inconsistency between different roles when inserting to system.js with bypassDocumentValidation=true Created: 11/Dec/18  Updated: 27/Oct/23  Resolved: 18/Dec/18

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Ted Tuckman Assignee: Jonathan Reams
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to SERVER-35301 Cannot insert into system.js collecti... Closed
Operating System: ALL
Steps To Reproduce:
  1. Create two users: one with role restore, one with role readWriteAnyDatabase.
  2. Attempt to run an insert on system.js with bypassDocumentValidation=true on each user
  3. If auth is enabled, one should succeed, and the other will fail.

> db.createUser({user: "ted", pwd: "ted", roles: [{role: "root", db: "admin"}]})
Successfully added user: {
        "user" : "ted",
        "roles" : [
                {
                        "role" : "root",
                        "db" : "admin"
                }
        ]
}
> db.auth("ted", "ted")
1
> db.createUser({user: "dave", pwd: "dave", roles: [{role: "restore", db: "admin"}]})db.createUser({user: "pj", pwd: "pj", roles: [{role: "readWriteAnyDatabase", db: "admin"}]})Successfully added user: {
        "user" : "dave",
        "roles" : [
                {
                        "role" : "restore",
                        "db" : "admin"
                }
        ]
}
> 
dbdb.createUser({user: "pj", pwd: "pj", roles: [{role: "readWriteAnyDatabase", db: "admin"}]})
Successfully added user: {
        "user" : "pj",
        "roles" : [
                {
                        "role" : "readWriteAnyDatabase",
                        "db" : "admin"
                }
        ]
}
> db.auth("dave","dave")
1
> use test
switched to db test
> db.runCommand({insert:"system.js", documents:[{_id:"func2", value:function(k){return k;}}], bypassDocumentValidation: true})
{ "n" : 1, "ok" : 1 }
> use admin
switched to db admin
> db.auth("pj","pj")
1
> use test
switched to db test
> db.runCommand({insert:"system.js", documents:[{_id:"func3", value:function(k){return k;}}], bypassDocumentValidation: true})
{
        "ok" : 0,
        "errmsg" : "not authorized on test to execute command { insert: \"system.js\", bypassDocumentValidation: true, lsid: { id: UUID(\"993eb0b0-3859-4113-9829-03cdbd30db3d\") }, $db: \"test\" }",
        "code" : 13,
        "codeName" : "Unauthorized"
}

Sprint: Security 2018-12-31
Participants:

 Description   

With different roles it is possible to either insert to system.js with bypassDocumentValidation=true or get an auth error. If a user with restore inserts it is fine, but readWrite fails. The reason for closing the linked ticket (original report and description of this bug) does not address the inconsistency.



 Comments   
Comment by Jonathan Reams [ 18/Dec/18 ]

This works as designed because bypassing document validation isn't something we expect a normal user with read/write privileges to be able to do. The restore role is a special role that gives a user extra privileges to restore data from backups that may be different from the current configuration, for example the restore role also allows you to read/write to a number of system collections related to authentication and replication/sharding configuration that a normal user with read/write would not be able to read or write to.

Generated at Thu Feb 08 04:49:15 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.