[SERVER-8540] Unauthorized users allowed to read system.profile collection Created: 12/Feb/13  Updated: 11/Jul/16  Resolved: 12/Feb/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.4.0-rc0
Fix Version/s: 2.4.0-rc1

Type: Bug Priority: Major - P3
Reporter: J Rassi Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Operating System: ALL
Participants:

 Description   

To reproduce:

adminDb = db.getSiblingDB("admin")
testDb = db.getSiblingDB("testdb")
adminDb.addUser({user:'admin',pwd:'password',roles:['userAdminAnyDatabase','dbAdminAnyDatabase', 'readWriteAnyDatabase']})
adminDb.auth('admin','password')
testDb.addUser({user:'readUser',pwd:'password',roles:['read']})
testDb.setProfilingLevel(2)
adminDb.logout()
testDb.auth('readUser','password')
testDb.system.profile.find() // succeeds

Culprit in AuthorizationManager::_modifyPrivilegeForSpecialCases:

        } else if (collectionName == "system.profle" && newActions.contains(ActionType::find)) {



 Comments   
Comment by auto [ 12/Feb/13 ]

Author:

{u'date': u'2013-02-12T23:25:40Z', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-8540 Add test that non-dbAdmins can't read system.profile
Branch: master
https://github.com/mongodb/mongo/commit/6e243bcfb4f17fad02f5d8069eec63fe59564242

Comment by auto [ 12/Feb/13 ]

Author:

{u'date': u'2013-02-12T23:05:35Z', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-8540 Only dbAdmin should be able to read system.profile
Branch: master
https://github.com/mongodb/mongo/commit/652651a3c9bf5e79152840a82b6baf8df78c53c4

Generated at Thu Feb 08 03:17:43 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.