mosquitto.db can be read by all [SECURITY] #468

dalmoz · 2017-06-21T22:00:27Z

mosquitto.db file is world readable. This is, obviously, leading to the possibility of every local user to read the topic database and values at any given time. (permission rw-r--r--).

A security vulnerability such as this may prove disastorous to sensitive or secret data that can be contained within it.

Mitigation will be scoping the permission scheme to a specific user, that is running the mosquitto service.

Tested on an up-to-date raspberry pi 3 with the latest release of mosquitto.

Not implemented on Windows. Thanks to Moshe Zioni. Bug: #468

ralight · 2017-06-23T13:52:06Z

Thanks very much, a good spot. I've fixed this for systems with umask available.

dalmoz · 2017-06-23T14:17:44Z

Thank YOU.
Keep up the good work, man.

dalmoz · 2017-06-25T15:11:58Z

CVE-2017-9868

ralight added a commit that referenced this issue Jun 23, 2017

[468] Set persistence file to only be readable by owner.

09cb1b6

Not implemented on Windows. Thanks to Moshe Zioni. Bug: #468

ralight added Type: Bug Component: mosquitto-broker labels Jun 23, 2017

ralight added this to the fixes-next milestone Jun 23, 2017

ralight closed this as completed Jun 23, 2017

lock bot locked as resolved and limited conversation to collaborators Aug 8, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

mosquitto.db can be read by all [SECURITY] #468

mosquitto.db can be read by all [SECURITY] #468

dalmoz commented Jun 21, 2017

ralight commented Jun 23, 2017

dalmoz commented Jun 23, 2017

dalmoz commented Jun 25, 2017

mosquitto.db can be read by all [SECURITY] #468

mosquitto.db can be read by all [SECURITY] #468

Comments

dalmoz commented Jun 21, 2017

ralight commented Jun 23, 2017

dalmoz commented Jun 23, 2017

dalmoz commented Jun 25, 2017