-
Type:
Bug
-
Resolution: Done
-
Priority:
Major - P3
-
None
-
Affects Version/s: 2.1.0
-
Component/s: Security
-
None
-
ALL
According to http://www.mongodb.org/display/DOCS/Security+and+Authentication, if you run with --auth, you can still do anything to a db until the first user for that db is created. However, I just did an experiment to verify this, and found that even after I created a user for a db, I was able to do anything without having to authenticate.
$ ./mongo
MongoDB shell version: 2.1.1-pre-
connecting to: test
>
> use bezos
switched to db bezos
> db.foob.insert(
);
> db.foob.insert(
);
> db.foob.find();
> db.addUser("scott", "tiger", false);
{ "user" : "scott", "readOnly" : false, "pwd" : "0cbd24414b7e463fdaaec5ec64f3982f", "_id" : ObjectId("4f35a87acf5576708e221735") } { "n" : 0, "connectionId" : 1, "err" : null, "ok" : 1 }> db.foob.insert(
{blah:3});
> db.foob.find();
> db.auth("scott", "tiger");
1
> db.foob.find();
> exit
bye
Given this, I stopped my server to make sure I was really running with --auth. It was in my config file, so I started again:
$ ./mongo
MongoDB shell version: 2.1.1-pre-
connecting to: test
> use bezos
switched to db bezos
> show collections
foob
system.indexes
system.users
> db.foob.find();
> db.system.users.find();
{ "_id" : ObjectId("4f35a87acf5576708e221735"), "user" : "scott", "readOnly" : f alse, "pwd" : "0cbd24414b7e463fdaaec5ec64f3982f" }> db.runCommand(
{getCmdLineOpts:1});
{ "errmsg" : "access denied; use admin db", "ok" : 0 }> use admin
switched to db admin
> db.runCommand(
);
{
"argv" : [
"C:\\cygwin\\home\\cwestin\\mongo
mongod.exe",
"--config",
"../sandbox/mongodb.conf"
],
"parsed" :
,
"ok" : 1
}
>
I used getCmdLineOpts to verify that auth is indeed on. But you can see that I can still insert and query against this database without authenticating.