[SERVER-9475] renameCollection is marked as admin only command but can be running without authenticating as admin Created: 25/Apr/13  Updated: 10/Dec/14  Resolved: 25/Oct/13

Status: Closed
Project: Core Server
Component/s: Security, Usability
Affects Version/s: 2.2.4, 2.4.3
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Sridhar Nanjundeswaran Assignee: Spencer Brody (Inactive)
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

standalone MongoDB 2.4.3 Windows 2008R2+ build on Windows 7


Issue Links:
Duplicate
duplicates SERVER-11085 renameCollection must be run on the a... Closed
Operating System: ALL
Steps To Reproduce:

Start mongod with --auth. From the shell

use admin
db.addUser("admin","admin")
db.auth("admin","admin")
use rt
db.addUser("rt","rt")
use admin
db.logout()
use rt
db.auth("rt","rt")
db.foo.insert({bar:1})

If you now run

db.runCommand({renameCollection:"rt.foo", to:"rt.bar"})


it fails with

{ "ok" : 0, "errmsg" : "access denied; use admin db" }

if you now do

use admin
db.runCommand({renameCollection:"rt.foo", to:"rt.bar"}

the rename succeed even without authenticating using admin credentials.

Participants:

 Description   

renameCollection is an admin only command. When auth is turned on you can rename a collection within the same db even without authentication using the admin user credentials.



 Comments   
Comment by Spencer Brody (Inactive) [ 25/Apr/13 ]

This is working as designed. Rename collection is not an admin-only command, it just has to be run against the admin database. While this is not a security concern, it is a bit confusing that it needs to be run on admin even though it doesn't require admin credentials (this was presumably done because it can affect multiple databases). So perhaps this should be changed just from a usability perspective.

Generated at Thu Feb 08 03:20:31 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.