Community
Participate
Working Groups
Dynamic Security Plugin is supported since Mosquitto 2.0, so this problem will affect version 2.0 and later. Dynamic Security Plugin sets the default ACL type behaviours to: * publishClientSend: deny * publishClientReceive: allow * subscribe: deny * unsubscribe: allow Consider the following scenario: 1. A tenant now have access to some topic like "message/state", and then he connect to broker with "cleanStart=False" and an enough "sessionInteval=10000" 2. The tenant subscribe the topic "message/state" 3. The tenant disconnect from the broker 4. Admin revoke the privilege from this tenant (subscribePattern message/state) 5. The tenant reconnect with "cleanStart=False" and his session will recover include subscription of "message/state" which means he doesn't need to send another "SUBSCRIBE" packet. 6. Because the default "publishClientReceive" is "allow", the tenant still can receive message from topic "message/state" By the way, we can't update the default ACL with command like "mosquitto_ctrl <options> dynsec setDefaultACLAccess publishClientSend deny" when the broker is running. This could be a bug.
/cc project lead
Thanks for the report, I confirm the behaviour is as you describe. I'm deciding on the best way to handle it.
Wayne, could you please assign a CVE for this please? Versions: 2.0 to 2.0.11 CWE-285: Improper Authorization Description: When using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked.
(In reply to Roger Light from comment #3) > Wayne, could you please assign a CVE for this please? We'll use CVE-2021-34434.
This issue has been migrated to https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/638.
