New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mosquitto ignores acl_file on default listener if per_listener_settings=true #1073

Closed
jefdriesen opened this Issue Dec 7, 2018 · 2 comments

Comments

Projects
None yet
3 participants
@jefdriesen
Copy link

jefdriesen commented Dec 7, 2018

When mosquitto is configured as follows:

per_listener_settings true

port 1883
acl_file /etc/mosquitto/aclfile.foo

listener 1884
acl_file /etc/mosquitto/aclfile.bar

Then the default listener (on port 1883) ignores the acl_file. This can easily confirmed by specifying a non-existing acl file. Mosquitto will startup fine, without complaining about the non-existing file. And when trying to send messages, there are indeed no acl's effective.

This is a potential security risk!

@ralight ralight added this to the 1.5.5 milestone Dec 8, 2018

@ralight ralight closed this in 9097577 Dec 11, 2018

@nluedtke

This comment has been minimized.

Copy link

nluedtke commented Dec 20, 2018

For completeness sake, this received CVE-2018-20145. https://nvd.nist.gov/vuln/detail/CVE-2018-20145

@ralight

This comment has been minimized.

Copy link
Contributor

ralight commented Dec 20, 2018

@nluedtke Thank you, as this was disclosed publicly my priority was to get a fix out rather than asking for a CVE. Thanks for removing that burden, I'll get the documentation updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment