Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] Unable to start mosquitto - problem with password file - SOLVED...ish

Greg

OK. You've convinced me! I had missed the significance of the 'user' entry in the mosquitto.conf doc. But I think that falls into the category of blindingly obvious... if you know the answer. I still think it would be helpful for the need to have mosquitto in the group permissions of passwd explicitly documented somewhere - especially as this seems to have been introduced since I last used mosquitto. And I still think the warning from mosquitto_password about '0700' access is very misleading.

I agree with your 'best practice' recommendations. Exactly what I had iterated to!

Best,

P.

On 31/10/2023 16:19, Greg Troxel wrote:
Peter Rockett via mosquitto-dev <mosquitto-dev@xxxxxxxxxxx> writes:

Ummm.... Can anybody convince me this isn't a bug at some level. It is
telling me to change the world read access to none... which means
starting the service will bail with an error on the passwd file
permissions. It seems like world read access is required by the
mosquitto daemon somehow. (Also, why should a data file like this need
owner execute permissions?)

Any comments before I file a ticket?
Stepping back from what mosquitto does, I'd say best practice is:

   passwd file owned by root (so the mosquitto process cannot write it)

   passwd file in mosquitto group

   permission 640

   (it makes no sense to have an x bit on a text file)

I would suggest using ktrace/ktruss/dtrace/strace or whatever your
system has to look at the system calls and what fails.  Also inspect
your startup scripts to see what uid/gid mosquitto runs as.

See mosquitto.conf(5), the "user" option, which says mosquitto changes
to that use and it's group:

        user username
            When run as root, change to this user and its primary group on
            startup. If set to "mosquitto" or left unset, and if the
            "mosquitto" user does not exist, then mosquitto will change to the
            "nobody" user instead. If this is set to another value and
            mosquitto is unable to change to this user and group, it will exit
            with an error. The user specified must have read/write access to
            the persistence database if it is to be written. If run as a
            non-root user, this setting has no effect. Defaults to mosquitto.


On my system

   /usr/pkg/sbin/mosquitto is 755 (so no suid/sgid at all going on)

   the default of "user mosquitto" is not contradicted by my config file

   the user mosquitto has a primary group of mosquitto

   my config file is 640, but mosquitto.mosquitto vs root.mosquitto as I
   suggest above.


Back to the top