Drop privs to nobody if mosquitto user does not exist.
This commit is contained in:
parent
1c1ccaee52
commit
570c3674fb
@ -1,3 +1,9 @@
|
|||||||
|
Broker:
|
||||||
|
- When running as root, if dropping privileges to the "mosquitto" user fails,
|
||||||
|
then try "nobody" instead. This reduces the burden on users installing
|
||||||
|
Mosquitto themselves.
|
||||||
|
|
||||||
|
|
||||||
1.6.4 - 20190801
|
1.6.4 - 20190801
|
||||||
================
|
================
|
||||||
|
|
||||||
|
@ -845,12 +845,15 @@ log_timestamp_format %Y-%m-%dT%H:%M:%S
|
|||||||
<term><option>user</option> <replaceable>username</replaceable></term>
|
<term><option>user</option> <replaceable>username</replaceable></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>When run as root, change to this user and its primary
|
<para>When run as root, change to this user and its primary
|
||||||
group on startup. If mosquitto is unable to change to
|
group on startup. If set to "mosquitto" or left unset,
|
||||||
this user and group, it will exit with an error. The
|
and if the "mosquitto" user does not exist, then
|
||||||
user specified must have read/write access to the
|
mosquitto will change to the "nobody" user instead.
|
||||||
persistence database if it is to be written. If run as
|
If this is set to another value and mosquitto is unable
|
||||||
a non-root user, this setting has no effect. Defaults
|
to change to this user and group, it will exit with an
|
||||||
to mosquitto.</para>
|
error. The user specified must have read/write access
|
||||||
|
to the persistence database if it is to be written. If
|
||||||
|
run as a non-root user, this setting has no effect.
|
||||||
|
Defaults to mosquitto.</para>
|
||||||
<para>This setting has no effect on Windows and so you
|
<para>This setting has no effect on Windows and so you
|
||||||
should run mosquitto as the user you wish it to run
|
should run mosquitto as the user you wish it to run
|
||||||
as.</para>
|
as.</para>
|
||||||
|
@ -192,9 +192,11 @@
|
|||||||
# When run as root, drop privileges to this user and its primary
|
# When run as root, drop privileges to this user and its primary
|
||||||
# group.
|
# group.
|
||||||
# Set to root to stay as root, but this is not recommended.
|
# Set to root to stay as root, but this is not recommended.
|
||||||
|
# If set to "mosquitto", or left unset, and the "mosquitto" user does not exist
|
||||||
|
# then it will drop privileges to the "nobody" user instead.
|
||||||
# If run as a non-root user, this setting has no effect.
|
# If run as a non-root user, this setting has no effect.
|
||||||
# Note that on Windows this has no effect and so mosquitto should
|
# Note that on Windows this has no effect and so mosquitto should be started by
|
||||||
# be started by the user you wish it to run as.
|
# the user you wish it to run as.
|
||||||
#user mosquitto
|
#user mosquitto
|
||||||
|
|
||||||
# =================================================================
|
# =================================================================
|
||||||
|
@ -104,8 +104,17 @@ int drop_privileges(struct mosquitto__config *config, bool temporary)
|
|||||||
if(config->user && strcmp(config->user, "root")){
|
if(config->user && strcmp(config->user, "root")){
|
||||||
pwd = getpwnam(config->user);
|
pwd = getpwnam(config->user);
|
||||||
if(!pwd){
|
if(!pwd){
|
||||||
log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid user '%s'.", config->user);
|
if(strcmp(config->user, "mosquitto")){
|
||||||
|
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to drop privileges to '%s' because this user does not exist.", config->user);
|
||||||
return 1;
|
return 1;
|
||||||
|
}else{
|
||||||
|
log__printf(NULL, MOSQ_LOG_ERR, "Warning: Unable to drop privileges to '%s' because this user does not exist. Trying 'nobody' instead.", config->user);
|
||||||
|
pwd = getpwnam("nobody");
|
||||||
|
if(!pwd){
|
||||||
|
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to drop privileges to 'nobody'.");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if(initgroups(config->user, pwd->pw_gid) == -1){
|
if(initgroups(config->user, pwd->pw_gid) == -1){
|
||||||
err = strerror(errno);
|
err = strerror(errno);
|
||||||
|
Loading…
Reference in New Issue
Block a user