Re: [mosquitto-dev] [2.0.17] Warnings regarding user/group and readabili

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [mosquitto-dev] [2.0.17] Warnings regarding user/group and readability for custom configuration files

From: Shan D <sdes.softdev@xxxxxxxxx>
Date: Mon, 28 Aug 2023 14:52:12 +0200
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/mosquitto-dev/>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>

Hi Steve,

Thanks for the heads up. I actually do use docker init containers and that was the solution I had in mind. I had an alpine

container that changes the Ownership / Permissions and through shared volumes I can clear the warnings out for 2.0.17.

Regards,

Shan

On Sun, Aug 27, 2023 at 3:11 AM Steve Prior <sprior@xxxxxxxxxxxx> wrote:

You might be able to do what you want with init containers, see
https://stackoverflow.com/questions/70322031/does-docker-compose-support-init-container

Kubernetes has them too.

The init container could mount the file and copy it into place and
change the permissions/ownership in advance of the mosquito code using it.

I've got a similar issue relating to /etc/cron.d and I think I'm going
to mount the source cron file directory and then use an init container
to copy the files into place.

Hope this helps
Steve

On 8/25/2023 6:01 AM, Shan D via mosquitto-dev wrote:
> Hi Roger and team,
>
> As I went through the changelogs I saw the following:
>
> >- Broker will log warnings if sensitive files are world
> readable/writable, or
> if the owner/group is not the same as the user/group the broker is
> running
> as. In future versions the broker will refuse to open these files.
>
> I have an ACL file, Users File, and my Broker configuration that I
> mount using either Docker Compose v2. Of course, I see the warning
> logs for the UID/GID and file permissions in the Broker now.
>
> My Question is what is the rationale behind this? This will only make
> the deployment logic harder for users.
>
> What this implies is that all custom files will require me to have a
> user `mosquitto` (1883 ID) which I may not wish to have configured on
> the operating system in the first place and vice versa where the files
> generated by the docker container may be mounted on the host machine
> with users which might cause mismatches as well making the directory
> of the volumes requiring root access (because GID of root) which lot
> of users may not have in the first place.
>
> I would like to know if there are ways to make the deployment via
> Docker compatible post 2.0.17 release so that future compatibility is
> maintained if suddenly my configuration files get rejected.
>
> Regards,
> Shan
>
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev

References:
- [mosquitto-dev] [2.0.17] Warnings regarding user/group and readability for custom configuration files
  - From: Shan D
- Re: [mosquitto-dev] [2.0.17] Warnings regarding user/group and readability for custom configuration files
  - From: Steve Prior

Prev by Date: Re: [mosquitto-dev] [2.0.17] Warnings regarding user/group and readability for custom configuration files
Next by Date: [mosquitto-dev] Adding Mosquitto Library to project
Previous by thread: Re: [mosquitto-dev] [2.0.17] Warnings regarding user/group and readability for custom configuration files
Next by thread: [mosquitto-dev] Adding Mosquitto Library to project
Index(es):
- Date
- Thread

Breadcrumbs