[SERVER-60370] Change the name of collection will result in wrong authorization of database collection access. Created: 30/Sep/21 Updated: 27/Oct/23 Resolved: 01/Oct/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | 5.0.0 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Zhu Eddie | Assignee: | Edwin Zhou |
| Resolution: | Works as Designed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
MongoDB server version: 5.0 |
||
| Operating System: | ALL |
| Steps To Reproduce: | As dbOwner of database1: 1. , ]) db.t2.insertMany([ , ]) db.createRole( , actions: [ "find"] db.createRole( , actions: [ "find"] db.createUser( { user:"usr1", pwd:"123456", roles:[\{role:"t1Read",db:"database1"}] db.createUser( { user:"usr2", pwd:"123456", roles:[\{role:"t2Read",db:"database1"}] 2. , ] 3. 4.Login as usr1: , ] As you can see, after renaming the collections, usr1 actually get the data from the collection t2, which he's not supposed to be able to read. |
| Participants: |
| Description |
|
I would like to report a security issue on mongoDB privilege and role management.
Company name: BEIJING DBSEC TECHNOLOGY CO., LTD. |
| Comments |
| Comment by Edwin Zhou [ 11/Oct/21 ] |
|
I appreciate your continued input regarding MongoDB's security. I understand you're concerned that renaming a collection may allow for unintended access from other users. However, there are no additional privileges gained due to renameCollection. A user that is authorized to renameCollection must have read privileges for the source collection and write privileges for the target collection. That is, any user that can rename a source to a target collection can already expose documents from the source collection to other users with read privileges on the target collection. For example, they may already expose documents on the source collection by copying them to the target collection. Best, |
| Comment by Zhu Eddie [ 09/Oct/21 ] |
|
Hi Edwin, Mongodb allows users to rename a collection could affect the relavant collection authorization and access, does that sound logical? I don't think so.
Eddie Zhu |
| Comment by Edwin Zhou [ 01/Oct/21 ] |
|
Thanks for your report. We believe this works as designed because authorization is determined by the resource name, rather than the data in the resource. So if a user has read access to a namespace of database1.t1, and database1.t2 is renamed to database1.t1, then the user will be able to read the renamed collection that was formerly known as database1.t2. Best, |