Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

does enableLocalhostAuthBypass override --auth ?

Tags:

mongodb

In the docs (link) it says "Specify 0 to disable localhost authentication bypass. Enabled by default" for enableLocalhostAuthBypass. But when I start mongod with --auth: 

mongod --port 30xxx --dbpath=/home/dev/xxxx --auth

And then connect via localhost: 

mongo --host localhost --port 30xxx myDb

And then try to do anything: 

> show collections
Wed Aug  7 11:07:50.420 JavaScript execution failed: error: {
    "$err" : "not authorized for query on configuration.system.namespaces",
    "code" : 16550

Bzzt, no go. I can connect with -u -p and run show collections though.

From the docs it really sounds like connecting via localhost will bypass auth by default. However that's not what I'm seeing. Are the docs unclear? Am I reading it wrong?

like image 976
jcollum Avatar asked Aug 07 '13 18:08

jcollum

People also ask

How does MongoDB authentication work?

To authenticate as a user, you must provide a username, password, and the authentication database associated with that user. To authenticate using the mongo shell, either: Connect first to the MongoDB or mongos instance. Run the authenticate command or the db.

How do I enable authorization in MongoDB?

Connect and authenticate as the user administrator. Using the mongo shell, you can: Connect with authentication by passing in user credentials, or. Connect first without authentication, and then issue the db. auth() method to authenticate.

How to bypass authentication bypass in SQL Server?

Bypassing Authentication: 1 After we confirm that the site is vulnerable to SQL injection, the next step is to type the appropriate payload... 2 Enter the below-mentioned command in the vulnerable field and this will result in a successful Authentication Bypass. More ...

Why is the authbasicprovider optional?

Of course, for security reasons, the client will always need to ask again for the password whenever the hostname of the server changes. The AuthBasicProvider is, in this case, optional, since file is the default value for this directive.

How to configure user authentication using authselect?

Configuring user authentication using authselect authselect is a utility that allows you to configure system identity and authentication sources by selecting a specific profile. Profile is a set of files that describes how the resulting Pluggable Authentication Modules (PAM) and Network Security Services (NSS) configuration will look like.

How to bypass login portal authentication?

Just insert the command in the password or vulnerable field and then click login then the authentication would be bypassed. As we can see, we finally cracked the login portal and logged in successfully. Note: Sometimes, some websites block –+, in such cases use #. Both do the same work.

1 Answers

enableLocalhostAuthBypass is used for the case when you have no user defined at all but with auth enabled on MongoDB and you don't want to be able to connect at all. It is not meant to turn off authentication for localhost altogether.

As soon as you have a user defined, then enabledLocalhostAuthBypass will do nothing and you have to authenticate first.

It is described in the documentation at: http://docs.mongodb.org/manual/tutorial/add-user-administrator/#authenticate-with-full-administrative-access-via-localhost

like image 77
Derick Avatar answered Sep 17 '22 13:09

Derick
Sign in to Comment

Related questions

C# MongoDB complex class serialization
How safe are angular route guards? [duplicate]
mongodump gives segmentation fault
Node.js Mongoose .update with ArrayFilters
Node.js can not set default UUID with mongoose
How can I find a document by GUID _id?
What are all the mongoose events and where are they documented?
Typeorm: provide default value for boolean with Mongo database
ObjectID automatically set to "0...0" in go with official mongoDB driver
Invalid schema configuration: `model` is not a valid type within the array `characters`
Docker Compose MongoDB docker-entrypoint-initdb.d is not working
Mongo aggregation Match multiple values
Combine MongoDB and Postgresql in Rails?
How do I write a logging middleware for pyramid/pylons 2?
What is the proper way to manage connections to Mongo with MongoJS?
PHP MongoDB $exist not working
Mongoose limiting query to 1000 results when I want more/all (migrating from 2.6.5 to 3.1.2)
MongoDB mapreduce missing data with 'null' in return
mongodb: atomically rename two collections?
Mongoid "no geo index :(" error

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!