0

A few months ago I enabled password protection on my MongoDB install. Today I ran the Mongo client and forgot to use my login details. Instead of rejecting nearly everything I try to do from the shell, like it should, I had complete access to all the databases and collections. Fortunately this instance is only running a few test apps, so I quickly shutdown the MongoD instance until I figure this out.

Has anybody ever seen this kind of behavior before and knows what is going on? The MongoD instance is running on a Linux VM hosted by Azure. The only thing I can think of is that perhaps Azure restored an old copy of the VM, but I received no E-mails to that effect and everything else on the server seems to be proper, including new daemon processes that I added after I enabled password protection on MongoD.

Robert Oschler
  • 151
  • 1
  • 7

1 Answers1

0

If you were connecting from localhost, and you have not yet added a user to the admin database then you are likely authenticated as an administrator due to the localhost exception. Once you add an admin user, or if you connect from another host you will then have to present valid credentials to get access.

You will find instructions as to how to disable this (as long as you are running a recent version) in the linked documentation.

The only other way I can think of for this to happen (besides someone/something getting access and modifying things) is for your instance to have been restarted without authentication enabled (it is off by default). You should verify what options the mongod is running with and that your admin users and database users are in fact still present.

Adam C
  • 5,132
  • 2
  • 28
  • 49
  • This happened while running the Mongo client from a remote PC. – Robert Oschler Nov 13 '13 at 19:28
  • 1
    The only way I can think of for that to happen (besides someone/something getting access and modifying things) is for your instance to have been restarted without authentication enabled (it is off by default). You should verify what options the mongod is running with and that your admin users and database users are in fact still present. – Adam C Nov 13 '13 at 23:19
  • 1
    if you're so inclined, please add your comment to your reply. Ping me via a comment here when you're done and I'll accept it as the answer. – Robert Oschler Nov 14 '13 at 04:15