Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

text of warning messages from mosquitto_passwd may be wrong #2923

Open
Paraphraser opened this issue Oct 13, 2023 · 0 comments
Open

text of warning messages from mosquitto_passwd may be wrong #2923

Paraphraser opened this issue Oct 13, 2023 · 0 comments

Comments

@Paraphraser
Copy link

Scenario

Please make the following assumptions:

  1. Mosquitto version 2.0.18 is running in a Docker container (Debian).

  2. Mosquitto is running as user ID 1883:

        PID EUSER    RUSER    SUSER    FUSER    COMMAND
1824235 1883     1883     1883     1883     mosquitto

  3. Security is disabled - the key lines in mosquitto.conf are:

    #password_file /mosquitto/pwfile/pwfile
allow_anonymous true

  4. The ownership and permissions on /mosquitto/pwfile/pwfile are:

    -rw-r--r--    1 mosquitt mosquitt         0 Oct 11 20:30 /mosquitto/pwfile/pwfile

Test

Invoke:

$ docker exec mosquitto mosquitto_passwd -b /mosquitto/pwfile/pwfile someuser somepassword

In response, mosquitto_passwd:

  • always produces the warning:

     Warning: File /mosquitto/pwfile/pwfile owner is not root.
 Future versions will refuse to load this file.
 To fix this, use `chown root /mosquitto/pwfile/pwfile`

  • may also produce the warning:

     Warning: File /mosquitto/pwfile/pwfile has world readable permissions.
 Future versions will refuse to load this file.
 To fix this, use `chmod 0700 /mosquitto/pwfile/pwfile`

Reaction

I take the following steps:

  1. I respond to the warnings by executing the recommended commands:

    $ chown root /mosquitto/pwfile/pwfile
$ chmod 0700 /mosquitto/pwfile/pwfile

  2. I change mosquitto.conf to enable security:

    password_file /mosquitto/pwfile/pwfile
allow_anonymous false

  3. I restart the container.

Analysis

root ownership

Changing the ownership of the pwfile to root does not persist. That is because the docker-entrypoint.sh script contains:

chown -R mosquitto:mosquitto /mosquitto

Thus any restart of the container will always result in mosquitto ownership, and subsequent execution of mosquitto_passwd will always produce the warning about the owner not being root.

If I contrive to force root ownership, the container goes into a restart loop because Mosquitto runs as ID=1883 and can't read a pwfile that it doesn't own and on which there is no group or world read permission.

I don't have experience running the Mosquitto broker natively so I can't comment on whether root ownership would be appropriate in that context. However, in the Docker context where the container runs as 1883, specifying root ownership seems like a mistake.

mode 700

Unless I'm missing something, mode 700 also seems like a mistake. The pwfile file doesn't look like it's intended to be executed so it probably shouldn't have execute permission. In any event, using mode 600 silences the "world readable permissions" warning so I suspect this is a typo in the "To fix this" text.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Paraphraser