Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in
  • Help Desk Help Desk
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 318
    • Issues 318
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication: https://www.eclipse.org/lists/eclipse.org-committers/msg01356.html

  • Eclipse FoundationEclipse Foundation
  • Help DeskHelp Desk
  • Issues
  • #638
Closed
Open
Issue created Aug 10, 2021 by Eclipse Genie@genie

[Bug 575324] Mosquitto broker with Dynamic Security Plugin may lead to access control failure

Bugzilla Link 575324
Status ASSIGNED
Importance P3 normal
Reported Aug 09, 2021 23:25 EDT
Modified Aug 30, 2021 15:31 EDT
Reporter syncxxx Song

Description

Dynamic Security Plugin is supported since Mosquitto 2.0, so this problem will affect version 2.0 and later.

Dynamic Security Plugin sets the default ACL type behaviours to:

  • publishClientSend: deny\
  • publishClientReceive: allow\
  • subscribe: deny\
  • unsubscribe: allow

Consider the following scenario:\

  1. A tenant now have access to some topic like "message/state", and then he connect to broker with "cleanStart=False" and an enough "sessionInteval=10000"

  2. The tenant subscribe the topic "message/state"

  3. The tenant disconnect from the broker

  4. Admin revoke the privilege from this tenant (subscribePattern message/state)

  5. The tenant reconnect with "cleanStart=False" and his session will recover include subscription of "message/state" which means he doesn't need to send another "SUBSCRIBE" packet.

  6. Because the default "publishClientReceive" is "allow", the tenant still can receive message from topic "message/state"

By the way, we can't update the default ACL with command like "mosquitto_ctrl dynsec setDefaultACLAccess publishClientSend deny" when the broker is running. This could be a bug.

Assignee
Assign to
Time tracking

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent