mongodb即使启用了身份验证也允许来宾连接 [英] mongodb allows guest connection even when auth is enabled
问题描述
MongoDB版本:2.4.5
MongoDB Version: 2.4.5
在mongodb配置中启用auth = true.我仍然可以从远程主机连接到mongodb实例.它确实执行了身份验证,因为当我获得未授权"访问权限时,我无法执行大多数查询,但是我仍然可以运行查询来获取有关服务器的信息,例如版本等.我期望服务器在启用身份验证时拒绝没有凭据的连接.
Enabled the auth=true in mongodb config. I can still connect to the mongodb instance from a remote host. It does enforce the authentication as I am not able to execute most queries as I get 'unauthorized' access but I can still run queries to get information about the server e.g. version etc. I was expecting the server to deny connection without credentials when the auth is enabled.
推荐答案
是的,基本上,您无需身份验证即可连接,但几乎无法执行任何操作.您可以运行db.serverBuildInfo()
Yes basicly you can connect without authentication but cannot do nearly anything. you can run db.serverBuildInfo()
db.version()
db.adminCommand({ping:1})
db.adminCommand({whatsmyuri:1})
db.adminCommand({features:1})
例如,也许还有其他一些命令.
for example, maybe some other commands.
能够跑步对我来说有点痛苦:
Which is seems a bit pain for me is that able to run:
for(var i=0;i++<20000;){db.adminCommand({forceerror:1})}
这会生成一些日志.
我检查了出处,您可以看到此行为是一种错误. Shell启动的源位于: https://github.com/mongodb/mongo/blob/master/src/mongo/shell/dbshell.cpp
I checked out the sources, and you can see this behaviour is kind of bug. The sources of the shell startup are in : https://github.com/mongodb/mongo/blob/master/src/mongo/shell/dbshell.cpp
基本上,有两种类型的测试针对mongoshell的password和username参数中给出的参数值运行.启动程序会检查您是否提供了--password参数,之后是否未输入密码.并进行了检查,当您未指定不带db的情况下启动,并且您指定的用户名长度大于0时,它将尝试进行身份验证(检查第1043行)
Basicly there are two type of test running against the parameter values given in password and username arguments for mongoshell. The startup checks when you provided a --password parameter and have not wrote a password after. And there is a check when you have not specified to start without db, and you have specified a username which is longer than 0 than it will try to authenticate (check line 1043)
if (!nodb && username.size()).
但仅此而已.如果根本不指定凭据,则似乎无需进行身份验证即可连接.我猜在初始化阶段,应该检查通过身份验证运行我们连接的进程的过程,并在需要时强制进行身份验证.
But that is all. If you not specify credentials at all, it seems will connect without even try to authenticate. I guess in the initialization phase it should be checked weather the process where we connect is running with authentication and force out authenicaion if it needed.
这篇关于mongodb即使启用了身份验证也允许来宾连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
