You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
per_listener_settings true
port 1883
acl_file /etc/mosquitto/aclfile.foo
listener 1884
acl_file /etc/mosquitto/aclfile.bar
Then the default listener (on port 1883) ignores the acl_file. This can easily confirmed by specifying a non-existing acl file. Mosquitto will startup fine, without complaining about the non-existing file. And when trying to send messages, there are indeed no acl's effective.
This is a potential security risk!
The text was updated successfully, but these errors were encountered:
@nluedtke Thank you, as this was disclosed publicly my priority was to get a fix out rather than asking for a CVE. Thanks for removing that burden, I'll get the documentation updated.
lockbot
locked as resolved and limited conversation to collaborators
Aug 7, 2019
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
When mosquitto is configured as follows:
Then the default listener (on port 1883) ignores the acl_file. This can easily confirmed by specifying a non-existing acl file. Mosquitto will startup fine, without complaining about the non-existing file. And when trying to send messages, there are indeed no acl's effective.
This is a potential security risk!
The text was updated successfully, but these errors were encountered: