You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Warning: File /mosquitto/pwfile/pwfile owner is not root.
Future versions will refuse to load this file.
To fix this, use `chown root /mosquitto/pwfile/pwfile`
may also produce the warning:
Warning: File /mosquitto/pwfile/pwfile has world readable permissions.
Future versions will refuse to load this file.
To fix this, use `chmod 0700 /mosquitto/pwfile/pwfile`
Reaction
I take the following steps:
I respond to the warnings by executing the recommended commands:
Changing the ownership of the pwfile to root does not persist. That is because the docker-entrypoint.sh script contains:
chown -R mosquitto:mosquitto /mosquitto
Thus any restart of the container will always result in mosquitto ownership, and subsequent execution of mosquitto_passwd will always produce the warning about the owner not being root.
If I contrive to force root ownership, the container goes into a restart loop because Mosquitto runs as ID=1883 and can't read a pwfile that it doesn't own and on which there is no group or world read permission.
I don't have experience running the Mosquitto broker natively so I can't comment on whether root ownership would be appropriate in that context. However, in the Docker context where the container runs as 1883, specifying root ownership seems like a mistake.
mode 700
Unless I'm missing something, mode 700 also seems like a mistake. The pwfile file doesn't look like it's intended to be executed so it probably shouldn't have execute permission. In any event, using mode 600 silences the "world readable permissions" warning so I suspect this is a typo in the "To fix this" text.
The text was updated successfully, but these errors were encountered:
Scenario
Please make the following assumptions:
Mosquitto version 2.0.18 is running in a Docker container (Debian).
Mosquitto is running as user ID 1883:
Security is disabled - the key lines in
mosquitto.conf
are:The ownership and permissions on
/mosquitto/pwfile/pwfile
are:Test
Invoke:
In response,
mosquitto_passwd
:always produces the warning:
may also produce the warning:
Reaction
I take the following steps:
I respond to the warnings by executing the recommended commands:
I change
mosquitto.conf
to enable security:I restart the container.
Analysis
root ownership
Changing the ownership of the
pwfile
to root does not persist. That is because thedocker-entrypoint.sh
script contains:Thus any restart of the container will always result in
mosquitto
ownership, and subsequent execution ofmosquitto_passwd
will always produce the warning about the owner not being root.If I contrive to force root ownership, the container goes into a restart loop because Mosquitto runs as ID=1883 and can't read a
pwfile
that it doesn't own and on which there is no group or world read permission.I don't have experience running the Mosquitto broker natively so I can't comment on whether root ownership would be appropriate in that context. However, in the Docker context where the container runs as 1883, specifying root ownership seems like a mistake.
mode 700
Unless I'm missing something, mode 700 also seems like a mistake. The
pwfile
file doesn't look like it's intended to be executed so it probably shouldn't have execute permission. In any event, using mode 600 silences the "world readable permissions" warning so I suspect this is a typo in the "To fix this" text.The text was updated successfully, but these errors were encountered: