Skip to content

acl_file variable containing "/" - change in behaviour between 2.0.22 and 2.1.2 #3520

New issue
New issue
Open
Open
acl_file variable containing "/" - change in behaviour between 2.0.22 and 2.1.2#3520
Labels
Status: AvailableNo one has claimed responsibility for resolving this issue.
@MattBrittan

Description

@MattBrittan
MattBrittan
opened on Feb 24, 2026

There is a change in behavior in the ACL substitution pattern handling between version 2.0.22 and 2.1.2 . v2.1.2 may be behaving "correctly" but this change may break existing use-cases (it broke one of mine :-) ). In 2.0.22 the substitution pattern can contain a / and this will match across multiple levels; 2.1.2 will deny these requests (but does not reject the acl_file). The docs say "The substitution pattern must be the only text for that level of hierarchy." (this does not explicitly exclude substitutions that cover more than one level). test configuration files at the end (test is the simplest one I could create, real use is a bit more complex).

For this test I'm using a user test/1 and attempting to publish to the topic test/1 (i.e. mosquitto_pub -u test/1 -P password -t test/1 -m xxxy). This is permitted through the ACL entry pattern write %u. My expectation is that the PUBLISH will be accepted.

With 2.0.22 this works fine:

mosquitto  | 1771913248: mosquitto version 2.0.22 running
mosquitto  | 1771913258: New connection from ::1:55140 on port 1883.
mosquitto  | 1771913258: New client connected from ::1:55140 as auto-6645AFC2-B4ED-8935-18A7-32831DE46722 (p2, c1, k60, u'test/1').
mosquitto  | 1771913258: No will message specified.
mosquitto  | 1771913258: Sending CONNACK to auto-6645AFC2-B4ED-8935-18A7-32831DE46722 (0, 0)
mosquitto  | 1771913258: Received PUBLISH from auto-6645AFC2-B4ED-8935-18A7-32831DE46722 (d0, q0, r0, m0, 'test/1', ... (4 bytes))
mosquitto  | 1771913258: Received DISCONNECT from auto-6645AFC2-B4ED-8935-18A7-32831DE46722

With exactly the same config on 2.1.2 the publish fails:

mosquitto  | 1771913930: mosquitto version 2.1.2 running
mosquitto  | 1771913938: New connection from ::1:52442 on port 1883.
mosquitto  | 1771913938: New client connected from ::1:52442 as auto-7835FF19-817E-09B3-C397-153E4317D720 (p4, c1, k60, u'test/1').
mosquitto  | 1771913938: No will message specified.
mosquitto  | 1771913938: Sending CONNACK to auto-7835FF19-817E-09B3-C397-153E4317D720 (0, 0)
mosquitto  | 1771913938: Denied PUBLISH from auto-7835FF19-817E-09B3-C397-153E4317D720 (d0, q0, r0, m0, 'test/1', ... (4 bytes))
mosquitto  | 1771913938: Received DISCONNECT from auto-7835FF19-817E-09B3-C397-153E4317D720

The release notes say "The acl_file option is deprecated in favour of the acl-file plugin, which is the same code but moved into a plugin." but based upon the above this does not appear to be the full story. It would be nice to see the previous functionality restored (but I'll understand if you feel the new code is operating as intended).

# mosquitto.conf
user mosquitto
log_type all
allow_anonymous false
password_file /mosquitto/config/password.conf
acl_file /mosquitto/config/acl.conf
listener 1883

# password.conf
# user test/1:password
test/1:$7$101$VQwlyo7CUxDNi9Im$kLsiWNvgmGbCUmPggS235QqzUh6dlpeslwfppe4HwGXIgcTpNIzZmaf09NHhWeiBcf8otlNZasmB4HfozJrzUg==

# acl.conf
pattern write %u

Metadata

Metadata

Assignees

No one assigned

    Labels

    Status: AvailableNo one has claimed responsibility for resolving this issue.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions