Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-8540

Unauthorized users allowed to read system.profile collection

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.4.0-rc1
    • Affects Version/s: 2.4.0-rc0
    • Component/s: Security
    • None
    • ALL

      To reproduce:

      adminDb = db.getSiblingDB("admin")
      testDb = db.getSiblingDB("testdb")
      adminDb.addUser({user:'admin',pwd:'password',roles:['userAdminAnyDatabase','dbAdminAnyDatabase', 'readWriteAnyDatabase']})
      adminDb.auth('admin','password')
      testDb.addUser({user:'readUser',pwd:'password',roles:['read']})
      testDb.setProfilingLevel(2)
      adminDb.logout()
      testDb.auth('readUser','password')
      testDb.system.profile.find() // succeeds
      

      Culprit in AuthorizationManager::_modifyPrivilegeForSpecialCases:

              } else if (collectionName == "system.profle" && newActions.contains(ActionType::find)) {
      

            Assignee:
            spencer@mongodb.com Spencer Brody (Inactive)
            Reporter:
            rassi J Rassi
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: