[SERVER-43950] changeOwnPassword privilege action should not allow users to list collections in the databases that they don't have read access to Created: 10/Oct/19 Updated: 27/Oct/23 Resolved: 05/Feb/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Minor - P4 |
| Reporter: | Harshad Dhavale | Assignee: | Spencer Jackson |
| Resolution: | Works as Designed | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Operating System: | ALL | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Steps To Reproduce: | The following commands can be used to reproduce this issue in a MongoDB with auth enabled:
changeOwnPasswordROLE and user333
readOnlyTestDBRole and user4444
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Sprint: | Security 2019-11-04, Security 2019-11-18, Security 2019-12-02, Security 2019-12-16, Security 2019-12-30, Security 2019-01-13, Security 2019-01-27, Security 2020-02-24, Security 2020-03-09, Security 2020-03-23, Security 2020-04-06, Security 2020-04-20, Security 2020-05-04, Security 2020-05-18, Security 2020-06-01, Security 2020-06-15, Security 2020-07-13, Security 2020-10-05, Security 2020-11-02, Security 2021-01-11, Security 2021-01-25, Security 2021-02-08 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Case: | (copied to CRM) |
| Description |
|
Currently, the changeOwnPassword privilege action allows users to list collections in the databases that they don't have read access to. I can demonstrate this with the help of the example below. Scenario#1: Consider the following role which has changeOwnPassword privilege action:
The user333 is assigned the above role, and has only read privileges on the test database:
When I authenticate as user333, switch to db_xyz and run show collections, it lists the collections:
Scenario#2 Now, consider another role which has only find privilege action on the test database, with no changeOwnPassword privilege action:
user4444 is assigned the above readOnlyTestDBRole role:
Now, if I authenticate as user4444, switch to db_xyz and run show collections, then it does not list the collections:
Therefore, ideally a user who has changeOwnPassword privilege action should not be able to run show collections on a database that the user does not have read access to; such an action should fail with the above warning: "Warning: unable to run listCollections...". |
| Comments |
| Comment by Spencer Jackson [ 05/Feb/21 ] | ||||||||||||||||||||||||||||||||||||||||
|
Upon reflection, I believe this behaviour works as designed, and am resolving the ticket. In order to aid discovery where granular, per-collection, privileges are assigned to users we allowed listCollections to return lists of all collections which a user has permissions on. Under our access control system, privileges may be granted for a database, and possessing such a privilege is equivalent to possessing the privilege on all collections inside the database. In this instance, the user effectively possess the ability to "change their own password" on collections. listCollections is correct, that the user possesses some form of privilege on the database's collections. Because ActionTypes aren't scoped to resource types, we aren't able to tell that this privilege is probably not useful. Scoping ActionTypes to resource types would be challenging, and would need to be done carefully. | ||||||||||||||||||||||||||||||||||||||||
| Comment by Danny Hatcher (Inactive) [ 10/Oct/19 ] | ||||||||||||||||||||||||||||||||||||||||
|
Digging down through the shell helpers. User with only role:
Runs the following:
If a user without any roles tries to run the same commands, the failures are the same but:
I agree that this likely is a bug. |