Re: [mosquitto-dev] Unable to start mosquitto - problem with password fi

[Peter Rockett <p.rockett@xxxxxxxxxxxxxxx>]

Greg

OK. You've convinced me! I had missed the significance of the 'user' 
entry in the mosquitto.conf doc. But I think that falls into the 
category of blindingly obvious... if you know the answer. I still think 
it would be helpful for the need to have mosquitto in the group 
permissions of passwd explicitly documented somewhere - especially as 
this seems to have been introduced since I last used mosquitto. And I 
still think the warning from mosquitto_password about '0700' access is 
very misleading.

I agree with your 'best practice' recommendations. Exactly what I had 
iterated to!

Best,

P.

On 31/10/2023 16:19, Greg Troxel wrote:
> Peter Rockett via mosquitto-dev <mosquitto-dev@xxxxxxxxxxx> writes:
>
> > Ummm.... Can anybody convince me this isn't a bug at some level. It is
> > telling me to change the world read access to none... which means
> > starting the service will bail with an error on the passwd file
> > permissions. It seems like world read access is required by the
> > mosquitto daemon somehow. (Also, why should a data file like this need
> > owner execute permissions?)
> >
> > Any comments before I file a ticket?
> Stepping back from what mosquitto does, I'd say best practice is:
>
>    passwd file owned by root (so the mosquitto process cannot write it)
>
>    passwd file in mosquitto group
>
>    permission 640
>
>    (it makes no sense to have an x bit on a text file)
>
> I would suggest using ktrace/ktruss/dtrace/strace or whatever your
> system has to look at the system calls and what fails.  Also inspect
> your startup scripts to see what uid/gid mosquitto runs as.
>
> See mosquitto.conf(5), the "user" option, which says mosquitto changes
> to that use and it's group:
>
>         user username
>             When run as root, change to this user and its primary group on
>             startup. If set to "mosquitto" or left unset, and if the
>             "mosquitto" user does not exist, then mosquitto will change to the
>             "nobody" user instead. If this is set to another value and
>             mosquitto is unable to change to this user and group, it will exit
>             with an error. The user specified must have read/write access to
>             the persistence database if it is to be written. If run as a
>             non-root user, this setting has no effect. Defaults to mosquitto.
>
>
> On my system
>
>    /usr/pkg/sbin/mosquitto is 755 (so no suid/sgid at all going on)
>
>    the default of "user mosquitto" is not contradicted by my config file
>
>    the user mosquitto has a primary group of mosquitto
>
>    my config file is 640, but mosquitto.mosquitto vs root.mosquitto as I
>    suggest above.
>