[SillentTroll]

I also have been affected by the same "hack". Turns out I have simply forgot to start mongod with --auth option, even through the I had created users for different databases, including the admin! Looks like in "non secure mode" it allows logins with existing users as well as non-authorized.

I understand why the authentication is disabled by default, but it should fail to start with a DB that has users with roles and stuff.

[dx034]

Why should it be disabled by default? I don't see a reason why any database system would run without auth. At installation they can always use a local user account if no password is provided.

[mhotchen]

I wouldn't call it a bastion of security but MySQL typically installs with a root user with no password. So how do they not have the same level of exposed data? By default only local connections are allowed. If Mongo had the same pattern then this whole calamity could have been avoided whilst still allowing the ease of setting up on local environments.

[malka]

IIRC, even if you enable remote connection, the passwordless login is still only authorized locally.

[mhotchen]

Yeah good point, you're right. The root user is defined as root@localhost, not root@%.

[Fnoord]

Has that always been the case?

[agopaul]

On what distro/OS? On Ubuntu you get to pick the root password during installation

[mhotchen]

On Ubuntu specifically if you do the quiet option (for example as part of an automated script) then it will leave it blank. Even with the prompt it says it's optional but encouraged.

[SillentTroll]

- Why should it be disabled by default? I don't agree it should, but understand why it is disabled by default: for easy and quick start of development on the local machine.

[dx034]

Isn't it as fast if you bind it to a local user by default? You can still change it afterwards, but that way there's no set up for developers.

[SillentTroll]

Yes, it is the same.

In my case the database already had some users configured. But because I did't start the server with --auth option, MongoDB ignored all users and allowed everyone to connect.

[SillentTroll]

An solution for the people like me, that forget the --auth would be:

Situation #1, new database: Start MongoDb without any users, but as soon as the admin user is added, drop all connections and enable authentication

Situation #2, existing database: In MongoDB is started with a database, that has admin user but the authentication is not enabled, fail and exit.

[achillean]

How did you install MongoDB? I'm asking because by default it should only listen on localhost and I'm trying to understand whether there's a popular package/ repository that has changed that default from localhost to 0.0.0.0