Mosquitto Passwordfile Authentication, Permission Issues

Liam_Philipp · February 16, 2024, 9:51pm

Hey everyone,

I am working in Chirpstack docker trying to set up my MQTT broker to use username/password authentication from the gateways. I have set up my mosquitto.conf listener to use the passwordfile and everything works fine.

My problem is when trying to add a username/password using mosquitto_passwd -b passwordfile user password with or without sudo, I get the error: Error reading password file: Permission denied

My current file permissions are:

local@lorawan-ns:~/chirpstack-docker/configuration/mosquitto/config$ ls -l
total 8
-rw-rw-r-- 1 1883 1883 145 Feb 16 16:18 mosquitto.conf
-rwx------ 1 1883 1883 610 Feb 16 16:03 passwordfile

Although I have tried all different types of permissions and ownership combinations.

My current setup is functioning properly but the only way I could generate the passwordfile was by making it on my own computer and then copying it to my server running Chirpstack.

From inside my mosquitto container the permissions look like this:

/mosquitto/config # ls -l
total 8
-rw-rw-r--    1 mosquitt mosquitt       145 Feb 16 21:18 mosquitto.conf
-rwx------    1 mosquitt mosquitt       610 Feb 16 21:03 passwordfile

The command to add a user/pass works from inside the container, although it returns the following warnings:

/mosquitto/config # mosquitto_passwd -b passwordfile usertesting passwordtesting
Warning: File /mosquitto/config/passwordfile owner is not root. 
Future versions will refuse to load this file.To fix this, use `chown root /mosquitto/config/passwordfile`.
Warning: File /mosquitto/config/passwordfile group is not root. Future versions will refuse to load this file

I read somewhere that the issue with changing the passwordfile from outside of the container could be due to mosquitto being installed in snap, and that restricts its permissions, although I’m not well versed enough in docker to understand what that really means or how to fix it.

Does anyone know what I would need to do to allow mosquitto access to change the passwordfile outside the container? I would prefer to be able to add gateway user/passwords without needing to enter the containers shell.

I’m happy to share any other relevant information on my setup/config files.

Might be worth mentioning I also cannot create a password file:

local@lorawan-ns:~/chirpstack-docker/configuration/mosquitto/config$ mosquitto_passwd -c newpasswordfile user
Password: 
Reenter password: 
Error: Unable to open file newpasswordfile for writing. Permission denied.

IoTThinks · February 20, 2024, 10:50am

Is the server Ubuntu?
You can switch to root
sudo -s

Then do what you want.
And do chown mosquitt:mosquitt created files if required.

Liam_Philipp · February 26, 2024, 6:06pm

Thanks for the reply,

The server is Ubuntu.

Unfortunately even when executing from root I get the same error:

local@lorawan-ns:~/chirpstack-docker/configuration/mosquitto/config$ sudo -s
[sudo] password for local:

root@lorawan-ns:/home/local/chirpstack-docker/configuration/mosquitto/config# mosquitto_passwd -b passwordfile user password
Error reading password file: Permission denied
Try ‘chown --help’ for more information.

root@lorawan-ns:/home/local/chirpstack-docker/configuration/mosquitto/config# chown mosquitt:mosquitt passwordfile
chown: invalid user: ‘mosquitt:mosquitt’

It also looks like ‘mosquitt’ is only a user inside the container? I’ve also tried mosquitto, root, 1883 and others as the user/group for ownership. All of them give the same error when trying to add a password.

Is there a way to tell what user is being used when I try to execute the command: mosquitto_passwd -b passwordfile user password

Liam_Philipp · February 26, 2024, 11:07pm

Update:

After talking to my friend GPT about this for a while, and doing an strace on the command:

$ sudo strace -f -e trace=setuid,setgid,execve mosquitto_passwd -b passwordfile user password

He is certain it is a conflict with snap’s permissions and file accessibility. The conversation makes it pretty clear thats the issue so here is a blurb:

The output from strace you’ve shared reveals several key points about what happens when you run mosquitto_passwd in your environment:

Snap Package Execution: The command mosquitto_passwd is being invoked through the Snap package manager, as indicated by the initial execution path /snap/bin/mosquitto_passwd. Snap packages are containerized software packages that are isolated from the rest of the system, which affects how they access system resources and files.

Snap Confinement and Permissions: The strace log shows the execution chain involving various Snap internals (snapd, snap-seccomp, snap-confine, etc.). This chain ends with the actual mosquitto_passwd binary located at /snap/mosquitto/873/usr/bin/mosquitto_passwd. The involvement of Snap’s confinement mechanisms (snap-confine) suggests that the command runs within a restricted environment, which could be the root cause of the permission issues you’re experiencing.

Permission Denied Error: The final output Error reading password file: Permission denied directly indicates that the mosquitto_passwd command, when executed within the Snap’s confined environment, does not have the necessary permissions to read (or write to) the specified password file.

User and Group ID Reset: The calls to setuid(0) and setgid(0) attempt to change the effective user ID and group ID to 0 (which is root). This suggests that the snap is attempting to gain root privileges, but given the confinement and security policies applied by Snap, this does not necessarily grant access to all system files, especially if the target file is outside the Snap’s allowed access paths.

Understanding the Issue

The core issue here is not about who is executing the command in terms of user accounts on the system but rather the confinement and permission model enforced by Snap. The Snap confinement system restricts access to the rest of the system to ensure security and isolation, which can lead to permission issues like the one you’re encountering.

Solutions

Move the Password File: If possible, place the password file in a location where the Snap package has access. This might be within a specific Snap-accessible directory.

Adjust Snap Permissions: Check if there are snap permissions (interfaces) that can be adjusted to allow mosquitto snap access to the necessary files. Use commands like snap connections mosquitto to list and snap connect to adjust permissions.

Use a Non-Snap Version of Mosquitto: If the Snap confinement is too restrictive for your use case, consider using a non-Snap version of Mosquitto if available for your platform. This can be installed from the official repository, a PPA, or compiled from source, depending on what’s available for your distribution.

Unfortunately none of the solutions seem applicable in my case (besides maybe #2 of snap connecting the file?), and my docker/snap knowledge is trivial so I don’t want to just start changing things I don’t fully understand.

Does anybody know a safe way to allow mosquitto to change the passwordfile despite being restricted by snap? Should I move the password file into the snap mosquitto folder and have my acl reference it there? Apologies for my ignorance.

Id also be interested in knowing the security reasons behind why docker and mosquitto are restricted through snap if anyone knows that?

Liam_Philipp · February 27, 2024, 11:49pm

I fixed my issue.

I guess at one point early in my server installation I used sudo snap install mosquitto to download mosquitto and subscribe to my MQTT broker, probably because a tutorial somewhere told me to. Removing mosquitto from snap and installing it through apt-get now allows me to edit the passwordfile.

Still not entirely sure why snap didn’t have access to the proper directories, maybe it has an issue with that directory being mounted to my mosquitto container, but regardless it is working now.