[SERVER-76111] the common users(with readWrite role on system db) can modify the system collection's data,it is very dangerous,this can cause serious problems. Created: 14/Apr/23  Updated: 19/Jan/24  Resolved: 19/Jan/24

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 5.0 Required, 4.0 Required, 4.2 Required, 4.4 Required, 6.0 Required
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: y yz Assignee: Sara Golemon
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-04-14-20-39-10-234.png     PNG File image-2023-04-14-20-43-39-121.png     PNG File image-2023-04-14-20-45-20-986.png     PNG File image-2023-04-14-22-23-00-492.png     PNG File image-2023-04-14-22-26-41-220.png     PNG File image-2023-04-14-22-36-10-185.png    
Assigned Teams:
Server Security
Operating System: ALL
Sprint: Security 2023-05-01, Security 2023-05-15, Security 2024-01-22
Participants:

 Description   

When we create an account that can read and write the system db(admin,config,local), the account can modify the system namespace(config.transactions,config.chunks.xxx,
config.cache.xx, etc).The reason is that we missed some system namespace when we judge the nornal collection.

the verification steps are as follows:

step 1: create a user that can read and write config,local,admin

step 2: log in the cluster with the user, we can verify system namespace data, even drop system namespace



 Comments   
Comment by Sara Golemon [ 19/Jan/24 ]

Closed PR due to requirements on these collections.

Comment by y yz [ 13/Oct/23 ]

hi, Sara Golemon

Do you have the conclusion of this question? If so, we can synchronize it. Thank you.

 

thanks.

Comment by Sara Golemon [ 17/Apr/23 ]

To rephrase this ticket, OP seems to want us to include more namespaces as "non-normal", requiring them to be explicitly granted for access rather than being implicitly included in roles such as `readWrite`.  This is probably fine, as it moves us to a more default-closed state, but it's going to require some careful testing and probably expansion of roles such as `clusterMonitor` to explicitly include these namespaces so that existing valid users don't break.

Comment by y yz [ 14/Apr/23 ]

the pushed code address: https://github.com/mongodb/mongo/pull/1539

thanks.

Comment by y yz [ 14/Apr/23 ]

besides db.system.xxxx and local.replset.xxx, the normal collection should eliminate other system namespace.for example, config.transactions, config.cache.xxx, config.migrationCoordinators, local.startup_log, etc.

after perfect the code, the common readWrite user can not see the system namespace, as following:

shard server:

config server:

 

mongos:

 

Generated at Thu Feb 08 06:31:52 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.