[SERVER-60370] Change the name of collection will result in wrong authorization of database collection access. Created: 30/Sep/21  Updated: 27/Oct/23  Resolved: 01/Oct/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 5.0.0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Zhu Eddie Assignee: Edwin Zhou
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

MongoDB server version: 5.0
CentOS Linux release 7.6.1810 (Core)


Operating System: ALL
Steps To Reproduce:

As dbOwner of database1:

1.
use database1
db.t1.insertMany([
 

{ name: 't1', email: '[t1table@example.com|mailto:t1table@example.com]' }

,
 

{ name: 'lexas', email: '[lexas@example.com|mailto:lexas@example.com]' }

])

db.t2.insertMany([
 

{ name: 't2', email: '[t2table@example.com|mailto:t2table@example.com]' }

,
 

{ name: 'linsay', email: '[linsay@example.com|mailto:linsay@example.com]' }

])

db.createRole(
   {
     role: "t1Read",
     privileges: [
       

{          resource: \{ db: "database1", collection: "t1" }

, actions: [ "find"]
       }
     ],
     roles: []
   }
)

db.createRole(
   {
     role: "t2Read",
     privileges: [
       

{          resource: \{ db: "database1", collection: "t2" }

, actions: [ "find"]
       }
     ],
     roles: []
   }
)

db.createUser(

{    user:"usr1",    pwd:"123456",    roles:[\{role:"t1Read",db:"database1"}

]
})

db.createUser(

{    user:"usr2",    pwd:"123456",    roles:[\{role:"t2Read",db:"database1"}

]
})

2.
Login as usr1:
test> use database1
switched to db database1
database1> db.t1.find({})
[
 

{     _id: ObjectId("6155864d0133ab8df9f21ceb"),     name: 't1',     email: '[t1table@example.com|mailto:t1table@example.com]'   }

,
 

{     _id: ObjectId("6155864d0133ab8df9f21cec"),     name: 'lexas',     email: '[lexas@example.com|mailto:lexas@example.com]'   }

]
database1> db.t2.find({})
MongoServerError: not authorized on database1 to execute command { find: "t2", filter: {}, lsid: { id: UUID("a4aad0fe-9183-45af-a240-713c79eba1cc") }, $db: "database1" }

3.
As dbOwner of database1:
use database1
database1> db.t1.renameCollection('t3');
database1> db.t2.renameCollection('t1');
database1> db.t3.renameCollection('t2');

4.Login as usr1:
database1> db.t1.find({})
[
 

{     _id: ObjectId("615586580133ab8df9f21ced"),     name: 't2',     email: '[t2table@example.com|mailto:t2table@example.com]'   }

,
 

{     _id: ObjectId("615586580133ab8df9f21cee"),     name: 'linsay',     email: '[linsay@example.com|mailto:linsay@example.com]'   }

]
database1> db.t2.find({})
MongoServerError: not authorized on database1 to execute command { find: "t2", filter: {}, lsid: { id: UUID("a4aad0fe-9183-45af-a240-713c79eba1cc") }, $db: "database1" }

As you can see, after renaming the collections, usr1 actually get the data from the collection t2, which he's not supposed to be able to read.

Participants:

 Description   

I would like to report a security issue on mongoDB privilege and role management.
When the database administrator changes a collection's name, the role's privilege relevant to corresponding collection doesn't reflect the change and gives users ability to get the data from collections they are not supposed to read.

 

Company name: BEIJING DBSEC TECHNOLOGY CO., LTD.
Personal name: Eddie Zhu
Web site: www.dbsec.cn



 Comments   
Comment by Edwin Zhou [ 11/Oct/21 ]

Hi zhuqiangtj@gmail.com,

I appreciate your continued input regarding MongoDB's security. I understand you're concerned that renaming a collection may allow for unintended access from other users.

However, there are no additional privileges gained due to renameCollection. A user that is authorized to renameCollection must have read privileges for the source collection and write privileges for the target collection. That is, any user that can rename a source to a target collection can already expose documents from the source collection to other users with read privileges on the target collection. For example, they may already expose documents on the source collection by copying them to the target collection.

Best,
Edwin

Comment by Zhu Eddie [ 09/Oct/21 ]

Hi Edwin,

Mongodb allows users to rename a collection could affect the relavant collection authorization and access, does that sound logical?

I don't think so.

 

Eddie Zhu

Comment by Edwin Zhou [ 01/Oct/21 ]

Hi zhuqiangtj@gmail.com,

Thanks for your report. We believe this works as designed because authorization is determined by the resource name, rather than the data in the resource. So if a user has read access to a namespace of database1.t1, and database1.t2 is renamed to database1.t1, then the user will be able to read the renamed collection that was formerly known as database1.t2.

Best,
Edwin

Generated at Thu Feb 08 05:49:38 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.