[SERVER-7604] On MongoS read-only users should be denied access to system.users collection Created: 09/Nov/12  Updated: 11/Jul/16  Resolved: 27/Feb/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.2.1
Fix Version/s: 2.2.4

Type: Bug Priority: Major - P3
Reporter: Gianfranco Palumbo Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-4692 Read-only users should be denied acce... Closed
related to SERVER-3198 Ability to restrict operations by role Closed
Operating System: ALL
Participants:

 Description   

On MongoD

Steps to reproduce:

Create a read-only user in any database:

> db.addUser('mod', 'pass', true)

Restart with mongod --auth.

> db.auth('mod','pass')
> db.system.users.find()
error: {
  "$err": "unauthorized db:test ns:test.system.users lock type:1 client:127.0.0.1",
  "code": 10057
}

On MongoS started --keyFile filename and members with --auth --keyFile filename

> db.auth('mod','pass')
> db.system.users.find()
 
{ "_id": ObjectId("509cea7b45f86c6fcc64b71c"), "user": "mod", "readOnly": true, "pwd": "aa387b99960161d09f7a38d57fd7a15a" }

Note that the mongoD is not part of the mongoS shard. And same occurs on localhost and connecting from a remote host in LAN.



 Comments   
Comment by auto [ 27/Feb/13 ]

Author:

{u'date': u'2013-01-09T00:00:19Z', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-7604 deny access to system.users to read-only users through mongos
Branch: v2.2
https://github.com/mongodb/mongo/commit/37c3df43f01a57c3698db6e371f71371a0ddd6a4

Comment by Spencer Brody (Inactive) [ 12/Nov/12 ]

SERVER-3198 (which is being done as part of SERVER-7115) will fix this automatically for 2.4.

Generated at Thu Feb 08 03:15:01 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.