New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mosquitto.db can be read by all [SECURITY] #468
Milestone
Comments
ralight
added a commit
that referenced
this issue
Jun 23, 2017
Not implemented on Windows. Thanks to Moshe Zioni. Bug: #468
Thanks very much, a good spot. I've fixed this for systems with umask available. |
Thank YOU. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
mosquitto.db file is world readable. This is, obviously, leading to the possibility of every local user to read the topic database and values at any given time. (permission rw-r--r--).
A security vulnerability such as this may prove disastorous to sensitive or secret data that can be contained within it.
Mitigation will be scoping the permission scheme to a specific user, that is running the mosquitto service.
Tested on an up-to-date raspberry pi 3 with the latest release of mosquitto.
The text was updated successfully, but these errors were encountered: