[SERVER-9475] renameCollection is marked as admin only command but can be running without authenticating as admin Created: 25/Apr/13 Updated: 10/Dec/14 Resolved: 25/Oct/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security, Usability |
| Affects Version/s: | 2.2.4, 2.4.3 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Sridhar Nanjundeswaran | Assignee: | Spencer Brody (Inactive) |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
standalone MongoDB 2.4.3 Windows 2008R2+ build on Windows 7 |
||
| Issue Links: |
|
||||||||||||||
| Operating System: | ALL | ||||||||||||||
| Steps To Reproduce: | Start mongod with --auth. From the shell
If you now run
it fails with
if you now do
the rename succeed even without authenticating using admin credentials. |
||||||||||||||
| Participants: | |||||||||||||||
| Description |
|
renameCollection is an admin only command. When auth is turned on you can rename a collection within the same db even without authentication using the admin user credentials. |
| Comments |
| Comment by Spencer Brody (Inactive) [ 25/Apr/13 ] |
|
This is working as designed. Rename collection is not an admin-only command, it just has to be run against the admin database. While this is not a security concern, it is a bit confusing that it needs to be run on admin even though it doesn't require admin credentials (this was presumably done because it can affect multiple databases). So perhaps this should be changed just from a usability perspective. |