From 865eccaf35aca29d1b71764d50227cdf853752d0 Mon Sep 17 00:00:00 2001
From: Moustafa Maher <m.maher@10gen.com>
Date: Wed, 3 Mar 2021 00:08:53 +0000
Subject: SERVER-36263 Bypassing operation validation in applyOps should
 require special privilege

---
 src/mongo/db/auth/action_types.txt                 | 1 +
 src/mongo/db/auth/role_graph_builtin_roles.cpp     | 2 ++
 src/mongo/db/commands/oplog_application_checks.cpp | 5 +++++
 3 files changed, 8 insertions(+)

(limited to 'src')

diff --git a/src/mongo/db/auth/action_types.txt b/src/mongo/db/auth/action_types.txt
index 71582f7f85b..4ecac2e6dbe 100644
--- a/src/mongo/db/auth/action_types.txt
+++ b/src/mongo/db/auth/action_types.txt
@@ -9,6 +9,7 @@
 "anyAction", # Special ActionType that represents *all* actions
 "appendOplogNote",
 "applicationMessage",
+"applyOps",
 "auditLogRotate",  # Not used for permissions checks, but to id the event in logs.
 "authCheck",  # Not used for permissions checks, but to id the authorization-checking event in logs.
 "authenticate",  # Not used for permission checks, but to id authentication events in logs.
diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp
index 783be516d4c..1469c0eb162 100644
--- a/src/mongo/db/auth/role_graph_builtin_roles.cpp
+++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp
@@ -393,6 +393,8 @@ void addDbAdminAnyDbPrivileges(PrivilegeVector* privileges) {
     Privilege::addPrivilegeToPrivilegeVector(
         privileges,
         Privilege(ResourcePattern::forCollectionName("system.profile"), profileActions));
+    Privilege::addPrivilegeToPrivilegeVector(
+        privileges, Privilege(ResourcePattern::forClusterResource(), ActionType::applyOps));
 }
 
 void addClusterMonitorPrivileges(PrivilegeVector* privileges) {
diff --git a/src/mongo/db/commands/oplog_application_checks.cpp b/src/mongo/db/commands/oplog_application_checks.cpp
index 783d1002b35..1980f710f6f 100644
--- a/src/mongo/db/commands/oplog_application_checks.cpp
+++ b/src/mongo/db/commands/oplog_application_checks.cpp
@@ -204,6 +204,11 @@ Status OplogApplicationChecks::checkAuthForCommand(OperationContext* opCtx,
                                                    const BSONObj& cmdObj,
                                                    OplogApplicationValidity validity) {
     AuthorizationSession* authSession = AuthorizationSession::get(opCtx->getClient());
+    if (!authSession->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+                                                       ActionType::applyOps)) {
+        return Status(ErrorCodes::Unauthorized, "Unauthorized");
+    }
+
     if (validity == OplogApplicationValidity::kNeedsSuperuser) {
         std::vector<Privilege> universalPrivileges;
         RoleGraph::generateUniversalPrivileges(&universalPrivileges);
-- 
cgit v1.2.1