Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mosquitto ignores acl_file on default listener if per_listener_settings=true #1073

Closed
jefdriesen opened this issue Dec 7, 2018 · 2 comments
Closed

Mosquitto ignores acl_file on default listener if per_listener_settings=true #1073

jefdriesen opened this issue Dec 7, 2018 · 2 comments
Milestone
1.5.5

Comments

@jefdriesen
Copy link

When mosquitto is configured as follows:

per_listener_settings true

port 1883
acl_file /etc/mosquitto/aclfile.foo

listener 1884
acl_file /etc/mosquitto/aclfile.bar

Then the default listener (on port 1883) ignores the acl_file. This can easily confirmed by specifying a non-existing acl file. Mosquitto will startup fine, without complaining about the non-existing file. And when trying to send messages, there are indeed no acl's effective.

This is a potential security risk!
@ralight ralight added this to the 1.5.5 milestone Dec 8, 2018
@nluedtke
Copy link

For completeness sake, this received CVE-2018-20145. https://nvd.nist.gov/vuln/detail/CVE-2018-20145

@ralight
Copy link
Contributor

ralight commented Dec 20, 2018

@nluedtke Thank you, as this was disclosed publicly my priority was to get a fix out rather than asking for a CVE. Thanks for removing that burden, I'll get the documentation updated.

@lock lock bot locked as resolved and limited conversation to collaborators Aug 7, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.5.5
Development

No branches or pull requests
3 participants
@ralight @nluedtke @jefdriesen