Skip to content

[Bug 575324] Mosquitto broker with Dynamic Security Plugin may lead to access control failure

Bugzilla Link 575324
Status ASSIGNED
Importance P3 normal
Reported Aug 09, 2021 23:25 EDT
Modified Aug 30, 2021 15:31 EDT
Reporter syncxxx Song

Description

Dynamic Security Plugin is supported since Mosquitto 2.0, so this problem will affect version 2.0 and later.

Dynamic Security Plugin sets the default ACL type behaviours to:

  • publishClientSend: deny\
  • publishClientReceive: allow\
  • subscribe: deny\
  • unsubscribe: allow

Consider the following scenario:\

  1. A tenant now have access to some topic like "message/state", and then he connect to broker with "cleanStart=False" and an enough "sessionInteval=10000"

  2. The tenant subscribe the topic "message/state"

  3. The tenant disconnect from the broker

  4. Admin revoke the privilege from this tenant (subscribePattern message/state)

  5. The tenant reconnect with "cleanStart=False" and his session will recover include subscription of "message/state" which means he doesn't need to send another "SUBSCRIBE" packet.

  6. Because the default "publishClientReceive" is "allow", the tenant still can receive message from topic "message/state"

By the way, we can't update the default ACL with command like "mosquitto_ctrl dynsec setDefaultACLAccess publishClientSend deny" when the broker is running. This could be a bug.