From 7f069ac79c56704743e12187ce3391fa6847661d Mon Sep 17 00:00:00 2001 From: "Michael C. Harris" Date: Wed, 20 Mar 2013 05:32:33 +0000 Subject: [PATCH] DOCS-1250: Read-only users can't read system.users. Users with read only access to the admin database can't read the system.users collection. I considered adding a link to [Password Hashing Insecurity](http://docs.mongodb.org/manual/tutorial/control-access-to-mongodb-with-authentication/#password-hashing-insecurity) but it doesn't add value. It's only fair that I patch this, since it was my support ticket that caused it to be opened in the first place. --- source/administration/security.txt | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/source/administration/security.txt b/source/administration/security.txt index 642d6888950..6a41af648d0 100644 --- a/source/administration/security.txt +++ b/source/administration/security.txt @@ -277,9 +277,11 @@ authentication system: db.system.users.find() - The ``admin`` database is unique. Users with *normal* access to the - ``admin`` database have read and write access to all - databases. Users with *read only* access to the ``admin`` database - have read only access to all databases. + ``admin`` database have read and write access to all databases. Users + with *read only* access to the ``admin`` database have read only + access to all databases, with the exception of the ``system.users`` + collection, which is protected to prevent privilege escalation + attacks. Additionally the ``admin`` database exposes several commands and functionality, such as :dbcommand:`listDatabases`.