Drop privs to nobody if mosquitto user does not exist.
This commit is contained in:
parent
1c1ccaee52
commit
570c3674fb
@ -1,3 +1,9 @@
|
||||
Broker:
|
||||
- When running as root, if dropping privileges to the "mosquitto" user fails,
|
||||
then try "nobody" instead. This reduces the burden on users installing
|
||||
Mosquitto themselves.
|
||||
|
||||
|
||||
1.6.4 - 20190801
|
||||
================
|
||||
|
||||
|
@ -845,12 +845,15 @@ log_timestamp_format %Y-%m-%dT%H:%M:%S
|
||||
<term><option>user</option> <replaceable>username</replaceable></term>
|
||||
<listitem>
|
||||
<para>When run as root, change to this user and its primary
|
||||
group on startup. If mosquitto is unable to change to
|
||||
this user and group, it will exit with an error. The
|
||||
user specified must have read/write access to the
|
||||
persistence database if it is to be written. If run as
|
||||
a non-root user, this setting has no effect. Defaults
|
||||
to mosquitto.</para>
|
||||
group on startup. If set to "mosquitto" or left unset,
|
||||
and if the "mosquitto" user does not exist, then
|
||||
mosquitto will change to the "nobody" user instead.
|
||||
If this is set to another value and mosquitto is unable
|
||||
to change to this user and group, it will exit with an
|
||||
error. The user specified must have read/write access
|
||||
to the persistence database if it is to be written. If
|
||||
run as a non-root user, this setting has no effect.
|
||||
Defaults to mosquitto.</para>
|
||||
<para>This setting has no effect on Windows and so you
|
||||
should run mosquitto as the user you wish it to run
|
||||
as.</para>
|
||||
|
@ -192,9 +192,11 @@
|
||||
# When run as root, drop privileges to this user and its primary
|
||||
# group.
|
||||
# Set to root to stay as root, but this is not recommended.
|
||||
# If set to "mosquitto", or left unset, and the "mosquitto" user does not exist
|
||||
# then it will drop privileges to the "nobody" user instead.
|
||||
# If run as a non-root user, this setting has no effect.
|
||||
# Note that on Windows this has no effect and so mosquitto should
|
||||
# be started by the user you wish it to run as.
|
||||
# Note that on Windows this has no effect and so mosquitto should be started by
|
||||
# the user you wish it to run as.
|
||||
#user mosquitto
|
||||
|
||||
# =================================================================
|
||||
|
@ -104,8 +104,17 @@ int drop_privileges(struct mosquitto__config *config, bool temporary)
|
||||
if(config->user && strcmp(config->user, "root")){
|
||||
pwd = getpwnam(config->user);
|
||||
if(!pwd){
|
||||
log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid user '%s'.", config->user);
|
||||
if(strcmp(config->user, "mosquitto")){
|
||||
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to drop privileges to '%s' because this user does not exist.", config->user);
|
||||
return 1;
|
||||
}else{
|
||||
log__printf(NULL, MOSQ_LOG_ERR, "Warning: Unable to drop privileges to '%s' because this user does not exist. Trying 'nobody' instead.", config->user);
|
||||
pwd = getpwnam("nobody");
|
||||
if(!pwd){
|
||||
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to drop privileges to 'nobody'.");
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
if(initgroups(config->user, pwd->pw_gid) == -1){
|
||||
err = strerror(errno);
|
||||
|
Loading…
Reference in New Issue
Block a user