Hi Michael,
On Mon, Mar 06, 2023 at 11:17:39AM +0100, Michael Prokop wrote:
> With your configuration applied I see the following line in the logs:
>
> | mosquitto[1750]: 1678096815: The 'bind_address' option is now deprecated
> and will be removed in a future version. The behaviour will default to true.
Thank you for looking into it and explaining how to get rid of
bind_address.
> | # cat /etc/mosquitto/conf.d/listen.conf
> | listener 1883 127.0.0.1
> | socket_domain ipv4
> | protocol mqtt
> |
> | listener 9001 127.0.0.1
> | socket_domain ipv4
> | protocol websockets
>
> ... it behaves as documented/expected:
>
> | # ss -tlpn | grep mosquitto
> | LISTEN 0 4096 127.0.0.1:9001 0.0.0.0:*
> users:(("mosquitto",pid=1994,fd=8))
> | LISTEN 0 100 127.0.0.1:1883 0.0.0.0:*
> users:(("mosquitto",pid=1994,fd=5))
Thank you. I can reproduce that.
However, when I changed my configuration to not use bind_address, it
still used a free bind, so there must be a difference. That difference
happens to be the socket_domain line. If you drop that for the websocket
listener, it does a free bind again despite being told to use 127.0.0.1.
> IMO this isn't even a bug, so for now I downgraded the severity,
> though if you agree I'd tend to close this bug report. (But I'm
> neither the bug reporter nor the package maintainer, so leaving that
> to either one of you :))
I still think it is. The reproducer just becomes different:
listener 1883 127.0.0.1
listener 9001 127.0.0.1
protocol websockets
I think this intuitively looks secure, but in reality is not. Once you
add socket_domain, it actually becomes secure and that's a great
improvement already. Given the simplicity of the mitigation, I agree
that this is not serious anymore, but it still is a bug. If it doesn't
bind 127.0.0.1, it should produce an error. A relatively simple way
could be making a listener IP address without a socket_domain an invalid
configuration.
Helmut
