I have a MongoDB database installed and configured, but I have a very big problem regarding security.
I have enabled authentication and created a bunch of users, each with its own permissions, everything ok there, now my problem is that if a bad guy gets access to my server, he can simply restart the service without specifying the authentication parameter, and access all my databases just by logging in with the localhost.
In the documentation it says:
The localhost exception applies only when there are no users created
in the MongoDB instance.
Well, I have already created users, and I am still able to access my database using the localhost exception. Am I doing anything wrong? Or is the documentation wrong? If so, this seems to be a major security problem.
The Mongo version I am using is 3.4.
These are the steps I followed to enable authentication:
- Joined Mongo without the
--auth
parameter -
Created an Admin User
use admin var user = { "user" : "Admin", "pwd" : "1234", roles : [ { "role" : "root", "db" : "admin" } ]} db.createUser(user);
-
Restarted Mongo with the
--auth
parameter -
Created a database and some collections
use TestDB db.createCollection( "TestCollection1" ); db.createCollection( "TestCollection2" );
-
Created a custom role:
use TestDB db.runCommand({ createRole:"TestUserRole", privileges : [ { "resource": {"db" : "TestDB", "collection" : "TestCollection1"}, "actions": ["insert", "update"] }, { "resource": {"db" : "TestDB", "collection" : ""}, "actions": ["insert"] } ], "roles" : [ { role: "read", db: "TestDB" } ] })
-
Created a regular user
use TestDB var user = { "user" : "TestUser", "pwd" : "1234", roles : [ { "role" : "TestUserRole", "db" : "TestDB" } ]} db.createUser(user);
After this, I can access Mongo with both users, with the Admin account I can find, insert, update and delete in both collections of the database TestDB. With the user TestUser, I can only see the database TestDB (can't see the System collections) and can only find, insert and update TestCollection1, and can only find and insert in TestCollection2.
This is the behaviour I want, all working fine. Now, if I restart Mongo without the --auth
parameter, I shouldn't be able to connect to Mongo using the localhost exception because users are already created. Yet I am able to connect.
Best Answer
Authentication only controls access to clients connecting to a MongoDB deployment. Securing remote access to your server or encrypting your data files are separate security measures.
If an attacker is able to gain access to a shell on your server and run privileged commands (like restarting the
mongod
service), access control is irrelevant. Similarly, even if your data files were encrypted an attacker with privileged access will be a major security problem.As the administrator of a server, it is your responsibility to have appropriate access control, firewalls, auditing, and other security measures in place. Security involves multiple layers of defense, and access control is only a starting point. At a minimum you should also enable network encryption (TLS/SSL) and appropriately limit network exposure.
For a list of recommended security measures, see the MongoDB Security Checklist.
If you restart MongoDB without the
--auth
parameter (or equivalent configuration file directive), you are explicitly disabling access control and allowing clients to connect without requiring authentication. This may be useful for administrative intervention, such as resetting a forgotten admin password.