[SERVER-76111] the common users(with readWrite role on system db) can modify the system collection's data,it is very dangerous,this can cause serious problems. Created: 14/Apr/23 Updated: 19/Jan/24 Resolved: 19/Jan/24 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | 5.0 Required, 4.0 Required, 4.2 Required, 4.4 Required, 6.0 Required |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | y yz | Assignee: | Sara Golemon |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
| Assigned Teams: |
Server Security
|
| Operating System: | ALL |
| Sprint: | Security 2023-05-01, Security 2023-05-15, Security 2024-01-22 |
| Participants: |
| Description |
|
When we create an account that can read and write the system db(admin,config,local), the account can modify the system namespace(config.transactions,config.chunks.xxx, the verification steps are as follows: step 1: create a user that can read and write config,local,admin
step 2: log in the cluster with the user, we can verify system namespace data, even drop system namespace
|
| Comments |
| Comment by Sara Golemon [ 19/Jan/24 ] |
|
Closed PR due to requirements on these collections. |
| Comment by y yz [ 13/Oct/23 ] |
|
hi, Sara Golemon Do you have the conclusion of this question? If so, we can synchronize it. Thank you.
thanks. |
| Comment by Sara Golemon [ 17/Apr/23 ] |
|
To rephrase this ticket, OP seems to want us to include more namespaces as "non-normal", requiring them to be explicitly granted for access rather than being implicitly included in roles such as `readWrite`. This is probably fine, as it moves us to a more default-closed state, but it's going to require some careful testing and probably expansion of roles such as `clusterMonitor` to explicitly include these namespaces so that existing valid users don't break. |
| Comment by y yz [ 14/Apr/23 ] |
|
the pushed code address: https://github.com/mongodb/mongo/pull/1539 thanks. |
| Comment by y yz [ 14/Apr/23 ] |
|
besides db.system.xxxx and local.replset.xxx, the normal collection should eliminate other system namespace.for example, config.transactions, config.cache.xxx, config.migrationCoordinators, local.startup_log, etc. after perfect the code, the common readWrite user can not see the system namespace, as following: shard server:
config server:
mongos:
|