New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mosquitto.db can be read by all [SECURITY] #468

Closed
dalmoz opened this Issue Jun 21, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@dalmoz

dalmoz commented Jun 21, 2017

mosquitto.db file is world readable. This is, obviously, leading to the possibility of every local user to read the topic database and values at any given time. (permission rw-r--r--).

A security vulnerability such as this may prove disastorous to sensitive or secret data that can be contained within it.

Mitigation will be scoping the permission scheme to a specific user, that is running the mosquitto service.

Tested on an up-to-date raspberry pi 3 with the latest release of mosquitto.

ralight added a commit that referenced this issue Jun 23, 2017

[468] Set persistence file to only be readable by owner.
Not implemented on Windows.

Thanks to Moshe Zioni.

Bug: #468
@ralight

This comment has been minimized.

Show comment
Hide comment
@ralight

ralight Jun 23, 2017

Contributor

Thanks very much, a good spot. I've fixed this for systems with umask available.

Contributor

ralight commented Jun 23, 2017

Thanks very much, a good spot. I've fixed this for systems with umask available.

@ralight ralight added this to the fixes-next milestone Jun 23, 2017

@dalmoz

This comment has been minimized.

Show comment
Hide comment
@dalmoz

dalmoz Jun 23, 2017

Thank YOU.
Keep up the good work, man.

dalmoz commented Jun 23, 2017

Thank YOU.
Keep up the good work, man.

@ralight ralight closed this Jun 23, 2017

@dalmoz

This comment has been minimized.

Show comment
Hide comment
@dalmoz

dalmoz Jun 25, 2017

CVE-2017-9868

dalmoz commented Jun 25, 2017

CVE-2017-9868

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment