-
Type: Bug
-
Resolution: Unresolved
-
Priority: Minor - P4
-
None
-
Affects Version/s: None
-
Component/s: Connectivity
-
None
Problem Statement/Rationale
mongosh, when invoked with a connection but not authentication, runs several commands that require authentication as part of its initial connection sequence. These commands cause authorization failures that can be logged in the audit log. These can raise security concerns.
Steps to Reproduce
Create a local mongod with auth enabled. Here we used 6.0.1 but it is not dependent on the mongod release. Enable auditing.
Terminal session:
[ec2-user@ip-10-0-1-198 repros]$ mongosh Current Mongosh Log ID: 6324e9ed23329d796894cbc8 Connecting to: mongodb://127.0.0.1:27017/?directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+1.5.4 Using MongoDB: 6.0.1 Using Mongosh: 1.5.4 For mongosh info see: https://docs.mongodb.com/mongodb-shell/ Warning: Found ~/.mongorc.js, but not ~/.mongoshrc.js. ~/.mongorc.js will not be loaded. You may want to copy or rename ~/.mongorc.js to ~/.mongoshrc.js. Enterprise test>exit [ec2-user@ip-10-0-1-198 repros]$
Expected Results
The audit log has no "authcheck" messages related to this mongosh invocation, because mongosh does not try to run commands that require authentication when the session is not authenticated.
Actual Results
The audit log says:
{ "atype" : "clientMetadata", "ts" : { "$date" : "2022-09-16T21:26:05.543+00:00" }, "uuid" : { "$binary" : "jlVNi17wSveArDV3W51aTQ==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 54162 }, "users" : [], "roles" : [], "param" : { "localEndpoint" : { "ip" : "127.0.0.1", "port" : 27017 }, "clientMetadata" : { "driver" : { "name" : "nodejs|mongosh", "version" : "4.8.1" }, "os" : { "type" : "Linux", "name" : "linux", "architecture" : "x64", "version" : "4.14.285-215.501.amzn2.x86_64" }, "platform" : "Node.js v16.16.0, LE (unified)", "version" : "4.8.1|1.5.4", "application" : { "name" : "mongosh 1.5.4" } } }, "result" : 0 } { "atype" : "authCheck", "ts" : { "$date" : "2022-09-16T21:26:05.547+00:00" }, "uuid" : { "$binary" : "HWZsnQnTRji0NpLl2oX19Q==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 54148 }, "users" : [], "roles" : [], "param" : { "command" : "getParameter", "ns" : "admin" }, "result" : 13 } { "atype" : "authCheck", "ts" : { "$date" : "2022-09-16T21:26:05.548+00:00" }, "uuid" : { "$binary" : "jlVNi17wSveArDV3W51aTQ==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 54162 }, "users" : [], "roles" : [], "param" : { "command" : "getCmdLineOpts", "ns" : "admin" }, "result" : 13 } { "atype" : "clientMetadata", "ts" : { "$date" : "2022-09-16T21:26:05.548+00:00" }, "uuid" : { "$binary" : "DE4NKxltTHuvV+fdGdBiIw==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 54166 }, "users" : [], "roles" : [], "param" : { "localEndpoint" : { "ip" : "127.0.0.1", "port" : 27017 }, "clientMetadata" : { "driver" : { "name" : "nodejs|mongosh", "version" : "4.8.1" }, "os" : { "type" : "Linux", "name" : "linux", "architecture" : "x64", "version" : "4.14.285-215.501.amzn2.x86_64" }, "platform" : "Node.js v16.16.0, LE (unified)", "version" : "4.8.1|1.5.4", "application" : { "name" : "mongosh 1.5.4" } } }, "result" : 0 } { "atype" : "authCheck", "ts" : { "$date" : "2022-09-16T21:26:05.643+00:00" }, "uuid" : { "$binary" : "jlVNi17wSveArDV3W51aTQ==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 54162 }, "users" : [], "roles" : [], "param" : { "command" : "getLog", "ns" : "admin" }, "result" : 13 } { "atype" : "authCheck", "ts" : { "$date" : "2022-09-16T21:26:05.643+00:00" }, "uuid" : { "$binary" : "HWZsnQnTRji0NpLl2oX19Q==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 54148 }, "users" : [], "roles" : [], "param" : { "command" : "getFreeMonitoringStatus", "ns" : "admin" }, "result" : 13 } { "atype" : "clientMetadata", "ts" : { "$date" : "2022-09-16T21:26:16.045+00:00" }, "uuid" : { "$binary" : "gghQpnwNS6aS1z/zBzd2kw==", "$type" : "04" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 38572 }, "users" : [], "roles" : [], "param" : { "localEndpoint" : { "ip" : "127.0.0.1", "port" : 27017 }, "clientMetadata" : { "driver" : { "name" : "nodejs|mongosh", "version" : "4.8.1" }, "os" : { "type" : "Linux", "name" : "linux", "architecture" : "x64", "version" : "4.14.285-215.501.amzn2.x86_64" }, "platform" : "Node.js v16.16.0, LE (unified)", "version" : "4.8.1|1.5.4", "application" : { "name" : "mongosh 1.5.4" } } }, "result" : 0 }
Note that the "getParameter", "getCmdLineOpts", getLog", and "getFreeMonitoringStatus" commands are run by mongosh and rejected as unauthorized, because the session is not authenticated.