Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Works as Designed
Priority: Major - P3
Fix Version/s: None
Affects Version/s: 5.0.0
Component/s: None
Labels:
None
Environment:
MongoDB server version: 5.0
CentOS Linux release 7.6.1810 (Core)

Operating System:
ALL
Steps To Reproduce:

Hide

As dbOwner of database1:

1.
use database1
db.t1.insertMany([

{ name: 't1', email: '[t1table@example.com|mailto:t1table@example.com]' }
,

{ name: 'lexas', email: '[lexas@example.com|mailto:lexas@example.com]' }
])

db.t2.insertMany([

{ name: 't2', email: '[t2table@example.com|mailto:t2table@example.com]' }
,

{ name: 'linsay', email: '[linsay@example.com|mailto:linsay@example.com]' }
])

db.createRole(
{
role: "t1Read",
privileges: [

{ resource: \{ db: "database1", collection: "t1" }
, actions: [ "find"]
}
],
roles: []
}
)

db.createRole(
{
role: "t2Read",
privileges: [

{ resource: \{ db: "database1", collection: "t2" }
, actions: [ "find"]
}
],
roles: []
}
)

db.createUser(
{ user:"usr1", pwd:"123456", roles:[\{role:"t1Read",db:"database1"}
]
})

db.createUser(
{ user:"usr2", pwd:"123456", roles:[\{role:"t2Read",db:"database1"}
]
})

2.
Login as usr1:
test> use database1
switched to db database1
database1> db.t1.find({})
[

{ _id: ObjectId("6155864d0133ab8df9f21ceb"), name: 't1', email: '[t1table@example.com|mailto:t1table@example.com]' }
,

{ _id: ObjectId("6155864d0133ab8df9f21cec"), name: 'lexas', email: '[lexas@example.com|mailto:lexas@example.com]' }
]
database1> db.t2.find({})
MongoServerError: not authorized on database1 to execute command { find: "t2", filter: {}, lsid: { id: UUID("a4aad0fe-9183-45af-a240-713c79eba1cc") }, $db: "database1" }

3.
As dbOwner of database1:
use database1
database1> db.t1.renameCollection('t3');
database1> db.t2.renameCollection('t1');
database1> db.t3.renameCollection('t2');

4.Login as usr1:
database1> db.t1.find({})
[

{ _id: ObjectId("615586580133ab8df9f21ced"), name: 't2', email: '[t2table@example.com|mailto:t2table@example.com]' }
,

{ _id: ObjectId("615586580133ab8df9f21cee"), name: 'linsay', email: '[linsay@example.com|mailto:linsay@example.com]' }
]
database1> db.t2.find({})
MongoServerError: not authorized on database1 to execute command { find: "t2", filter: {}, lsid: { id: UUID("a4aad0fe-9183-45af-a240-713c79eba1cc") }, $db: "database1" }

As you can see, after renaming the collections, usr1 actually get the data from the collection t2, which he's not supposed to be able to read.

Show
As dbOwner of database1: 1. use database1 db.t1.insertMany([ { name: 't1', email: '[t1table@example.com|mailto:t1table@example.com]' } , { name: 'lexas', email: '[lexas@example.com|mailto:lexas@example.com]' } ]) db.t2.insertMany([ { name: 't2', email: '[t2table@example.com|mailto:t2table@example.com]' } , { name: 'linsay', email: '[linsay@example.com|mailto:linsay@example.com]' } ]) db.createRole( { role: "t1Read", privileges: [ { resource: \{ db: "database1", collection: "t1" } , actions: [ "find"] } ], roles: [] } ) db.createRole( { role: "t2Read", privileges: [ { resource: \{ db: "database1", collection: "t2" } , actions: [ "find"] } ], roles: [] } ) db.createUser( { user:"usr1", pwd:"123456", roles:[\{role:"t1Read",db:"database1"} ] }) db.createUser( { user:"usr2", pwd:"123456", roles:[\{role:"t2Read",db:"database1"} ] }) 2. Login as usr1: test> use database1 switched to db database1 database1> db.t1.find({}) [ { _id: ObjectId("6155864d0133ab8df9f21ceb"), name: 't1', email: '[t1table@example.com|mailto:t1table@example.com]' } , { _id: ObjectId("6155864d0133ab8df9f21cec"), name: 'lexas', email: '[lexas@example.com|mailto:lexas@example.com]' } ] database1> db.t2.find({}) MongoServerError: not authorized on database1 to execute command { find: "t2", filter: {}, lsid: { id: UUID("a4aad0fe-9183-45af-a240-713c79eba1cc") }, $db: "database1" } 3. As dbOwner of database1: use database1 database1> db.t1.renameCollection('t3'); database1> db.t2.renameCollection('t1'); database1> db.t3.renameCollection('t2'); 4.Login as usr1: database1> db.t1.find({}) [ { _id: ObjectId("615586580133ab8df9f21ced"), name: 't2', email: '[t2table@example.com|mailto:t2table@example.com]' } , { _id: ObjectId("615586580133ab8df9f21cee"), name: 'linsay', email: '[linsay@example.com|mailto:linsay@example.com]' } ] database1> db.t2.find({}) MongoServerError: not authorized on database1 to execute command { find: "t2", filter: {}, lsid: { id: UUID("a4aad0fe-9183-45af-a240-713c79eba1cc") }, $db: "database1" } As you can see, after renaming the collections, usr1 actually get the data from the collection t2, which he's not supposed to be able to read.

I would like to report a security issue on mongoDB privilege and role management.
When the database administrator changes a collection's name, the role's privilege relevant to corresponding collection doesn't reflect the change and gives users ability to get the data from collections they are not supposed to read.

Company name: BEIJING DBSEC TECHNOLOGY CO., LTD.
Personal name: Eddie Zhu
Web site: www.dbsec.cn

Assignee:: Edwin Zhou

Reporter:: Zhu Eddie

Participants:: Edwin Zhou, Zhu Eddie

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: Sep 30 2021 10:45:14 PM UTC

Updated:: Oct 27 2023 01:52:15 PM UTC

Resolved:: Oct 01 2021 04:15:05 PM UTC

Details

Description

Attachments

Activity

People

Dates