if no admin.system.users, allow access to everything from localhost

2024-11-30 00:56:44 +01:00 · 2009-01-21 17:26:16 -05:00 · 2009-01-21 17:26:16 -05:00 · 0f9f3648b0
commit 0f9f3648b0
parent 92d7e087d3
4 changed files with 32 additions and 7 deletions
--- a/db/db.cpp
+++ b/db/db.cpp
@ -162,6 +162,8 @@ namespace mongo {

        try {

+			ai->isLocalHost = dbMsgPort.farEnd.isLocalHost();
+
            Message m;
            while ( 1 ) {
                m.reset();
--- a/db/dbhelpers.h
+++ b/db/dbhelpers.h
@ -50,11 +50,11 @@ namespace mongo {
        static bool findOne(const char *ns, BSONObj query, BSONObj& result, bool requireIndex=false);

        /* Get/put the first object from a collection.  Generally only useful if the collection
-        only ever has a single object -- which is a "singleton collection".
+           only ever has a single object -- which is a "singleton collection".

-        You do not need to set the database before calling.
-
-        Returns: true if object exists.
+		   You do not need to set the database before calling.
+		   
+		   Returns: true if object exists.
        */
        static bool getSingleton(const char *ns, BSONObj& result);
        static void putSingleton(const char *ns, BSONObj obj);
--- a/db/security.cpp
+++ b/db/security.cpp
@ -17,6 +17,8 @@ namespace mongo {

    bool noauth = true;

+	int AuthenticationInfo::warned;
+
    Security::Security(){
 #if defined(__linux__)
        devrandom = new ifstream("/dev/urandom", ios::binary|ios::in);
--- a/db/security.h
+++ b/db/security.h
@ -19,6 +19,8 @@
 #pragma once

 #include <boost/thread/tss.hpp>
+#include "db.h"
+#include "dbhelpers.h"

 namespace mongo {

@ -33,16 +35,35 @@ namespace mongo {

    class AuthenticationInfo : boost::noncopyable {
        map<string, Auth> m; // dbname -> auth
+		static int warned;
    public:
-        AuthenticationInfo() { }
+		bool isLocalHost;
+        AuthenticationInfo() { isLocalHost = false; }
        ~AuthenticationInfo() {
        }
-        void logout(const char *dbname) { m.erase(dbname); }
+        void logout(const char *dbname) { 
+			assert( dbMutexInfo.isLocked() );
+			m.erase(dbname); 
+		}
        void authorize(const char *dbname) { 
+			assert( dbMutexInfo.isLocked() );
            m[dbname].level = 2;
        }
        bool isAuthorized(const char *dbname) { 
-            return m[dbname].level == 2 || noauth;
+            if( m[dbname].level == 2 ) return true;
+			if( noauth ) return true;
+			if( isLocalHost ) { 
+				DBContext c("admin.system.users");
+				BSONObj result;
+				if( Helpers::getSingleton("admin.system.users", result) )
+					return false;
+				if( warned == 0 ) {
+					warned++;
+					log() << "warning: no users configured in admin.system.users, allowing localhost access" << endl;
+				}
+				return true;
+			}
+			return false;
        }
    };