[SERVER-8492] Initial admin user can't be added over a Unix domain socket on OSX Created: 08/Feb/13  Updated: 11/Jul/16  Resolved: 23/May/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 2.7.1

Type: Bug Priority: Minor - P4
Reporter: Bernie Hackett Assignee: David Hows
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Duplicate
is duplicated by SERVER-13893 Unix domain socket support should be ... Closed
Operating System: ALL
Participants:

 Description   

On Linux an initial admin user can be added over a Unix domain socket:

MongoDB shell version: 2.2.3
connecting to: /tmp/mongodb-27017.sock:27017/test
repl0:PRIMARY> use admin
switched to db admin
repl0:PRIMARY> db.runCommand('getCmdLineOpts')
{
	"argv" : [
		"./mongod",
		"--dbpath",
		"/storage/data/rs0",
		"--port",
		"27017",
		"--replSet",
		"repl0",
		"--keyFile",
		"/home/behackett/work/key"
	],
	"parsed" : {
		"dbpath" : "/storage/data/rs0",
		"keyFile" : "/home/behackett/work/key",
		"port" : 27017,
		"replSet" : "repl0"
	},
	"ok" : 1
}
repl0:PRIMARY> db.sytem.users.find()
repl0:PRIMARY> db.addUser('admin', 'pass')
{
	"user" : "admin",
	"readOnly" : false,
	"pwd" : "e4e538f5dcb52537cad02bbf8491693c",
	"_id" : ObjectId("511583981babfde6e653926b")
}
addUser succeeded, but cannot wait for replication since we no longer have auth
 
> db.auth('admin', 'pass')
1
repl0:PRIMARY> 

On OSX this isn't possible:

./mongo --host /tmp/mongodb-27017.sock
MongoDB shell version: 2.2.3
connecting to: /tmp/mongodb-27017.sock:27017/test
> use admin
switched to db admin
> db.runCommand('getCmdLineOpts')
{ "errmsg" : "need to login", "ok" : 0 }
> db.system.users.find()
error: {
	"$err" : "unauthorized db:admin ns:admin.system.users lock type:1 client:",
	"code" : 10057
}
> 

Using a regular socket works fine:

./mongo
MongoDB shell version: 2.2.3
connecting to: test
> use admin
switched to db admin
> db.runCommand('getCmdLineOpts')
{
	"argv" : [
		"./mongod",
		"--dbpath",
		"/Users/behackett/data/db",
		"--auth"
	],
	"parsed" : {
		"auth" : true,
		"dbpath" : "/Users/behackett/data/db"
	},
	"ok" : 1
}

I've tried this with both replica sets and a single mongod instance. The behavior is the same in both cases.



 Comments   
Comment by Githook User [ 29/May/14 ]

Author:

{u'username': u'daveh86', u'name': u'daveh86', u'email': u'howsdav@gmail.com'}

Message: SERVER-8492 SERVER-13893 Test for detecting named/unnamed unix socket

Signed-off-by: Benety Goh <benety@mongodb.com>
Branch: master
https://github.com/mongodb/mongo/commit/507a7d5e34d051ba3f30c3add50afa08b790f6d3

Comment by Benety Goh [ 23/May/14 ]

sock.cpp changes have been merged and ready for 2.7.1.

The test improvements can be made in a new SERVER ticket or added to this ticket as a follow-up.

Comment by Githook User [ 22/May/14 ]

Author:

{u'username': u'daveh86', u'name': u'daveh86', u'email': u'howsdav@gmail.com'}

Message: SERVER-8492 Change socket check to be sun_path[0] != '\0'

Signed-off-by: Benety Goh <benety@mongodb.com>
Branch: master
https://github.com/mongodb/mongo/commit/072266f7f46af42a5030ef7920c42d863a5d5f74

Generated at Thu Feb 08 03:17:35 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.