[SERVER-4692] Read-only users should be denied access to system.users collection Created: 16/Jan/12 Updated: 30/Oct/15 Resolved: 09/Mar/12 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.0.2 |
| Fix Version/s: | 2.1.1 |
| Type: | Bug | Priority: | Critical - P2 |
| Reporter: | Nathaniel McCallum | Assignee: | Mathias Stearn |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Backwards Compatibility: | Minor Change | ||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||
| Participants: | |||||||||||||||||||||
| Description |
|
Original Title: system.users collection placement allows offline dictionary attack for read-only users When using authentication with mongodb, users with read-write permissions have their password hashes stored in system.users. Read-only users can read these hashes. This permits read-only users to read the password hashes of read/write users and perform an offline dictionary attack in order to escalate their privileges. |
| Comments |
| Comment by auto [ 09/Mar/12 ] |
|
Author: {u'login': u'RedBeard0531', u'name': u'Mathias Stearn', u'email': u'redbeard0531@gmail.com'}Message: Don't allow read-only users to read from system.users collection |
| Comment by auto [ 09/Mar/12 ] |
|
Author: {u'login': u'RedBeard0531', u'name': u'Mathias Stearn', u'email': u'redbeard0531@gmail.com'}Message: fix broken bits in reenabled test Prep for |
| Comment by auto [ 09/Mar/12 ] |
|
Author: {u'login': u'RedBeard0531', u'name': u'Mathias Stearn', u'email': u'redbeard0531@gmail.com'}Message: Features cmd no longer has readlock field Prep for |
| Comment by Eliot Horowitz (Inactive) [ 17/Jan/12 ] |
|
The admin database is for people with server level admin access. |
| Comment by Nathaniel McCallum [ 17/Jan/12 ] |
|
If you don't move it, how do you plan on restricting/granting permission to create new databases? |
| Comment by Eliot Horowitz (Inactive) [ 17/Jan/12 ] |
|
system.indexes will certainly not change. system.users will probably not move - but we are likely to add an "admin" role which would have access to system.users |
| Comment by Nathaniel McCallum [ 17/Jan/12 ] |
|
While blocking read-only users from reading system.users does solve this security problem, it doesn't solve the case where read/write users can keep backups of passwords for offline dictionary attacks when their privileged are revoked. This is, I think, just as important. It would be best to move system.users (and system.indexes while we're at it) to a separate database. This entirely separates the admin concern for the data storage and retrieval concern. |
| Comment by Eliot Horowitz (Inactive) [ 17/Jan/12 ] |
|
read only users shouldn't be able to access system.users |