From bc8b2ef3cc55a18274920ededbba6e18e99626e4 Mon Sep 17 00:00:00 2001
From: Kristina <kristina@10gen.com>
Date: Tue, 23 Aug 2011 15:46:28 -0400
Subject: only allow internal user with --keyFile option SERVER-3666

---
 db/cmdline.cpp           | 4 ++++
 db/cmdline.h             | 2 ++
 db/security_commands.cpp | 1 +
 3 files changed, 7 insertions(+)

diff --git a/db/cmdline.cpp b/db/cmdline.cpp
index 2a10fb50fdc..26d12ea5f64 100644
--- a/db/cmdline.cpp
+++ b/db/cmdline.cpp
@@ -272,8 +272,12 @@ namespace mongo {
                 dbexit(EXIT_BADOPTIONS);
             }
 
+            cmdLine.keyFile = true;
             noauth = false;
         }
+        else {
+            cmdLine.keyFile = false;
+        }
 
 
         {
diff --git a/db/cmdline.h b/db/cmdline.h
index 4c8c7c4512b..fff0499758e 100644
--- a/db/cmdline.h
+++ b/db/cmdline.h
@@ -100,6 +100,8 @@ namespace mongo {
 
         string socket;         // UNIX domain socket directory
 
+        bool keyFile;
+
         static void addGlobalOptions( boost::program_options::options_description& general ,
                                       boost::program_options::options_description& hidden );
 
diff --git a/db/security_commands.cpp b/db/security_commands.cpp
index 67605aab77d..caaedbdf1ff 100644
--- a/db/security_commands.cpp
+++ b/db/security_commands.cpp
@@ -139,6 +139,7 @@ namespace mongo {
             string pwd;
 
             if (user == internalSecurity.user) {
+                uassert(15889, "key file must be used to log in with internal user", cmdLine.keyFile);
                 pwd = internalSecurity.pwd;
             }
             else {
-- 
cgit v1.2.1