General description

Yeah, maybe you have already checked the source code on my Bitbucket link. I am not really a Python pro, I was rather learning Python and trying what is possible and what is not. Any feedback is really appreciated!

Purpose of this post is rather to share an idea. So, how it works? 

The python script mqtt-commander.py uses two packages: 

  • paho-mqtt package provides mqtt client features and functionality. 
  • configparser package is used to parse the config file. 

MQTT Topic Tree

MQTT topics are named in a way, which should allow easy access to system data:

/mqtt-commander/<HOSTNAME>/command
/mqtt-commander/<HOSTNAME>/result
/mqtt-commander/<HOSTNAME>/status/<STATUS TOPICS>

Configuration file

The configuration of the tool is following: 

[broker]
host = 10.11.12.13
port = 8883
ca = /etc/mqtt_commander/ca.pem
cert = /etc/mqtt_commander/client.crt
key = /etc/mqtt_commander/client.key

[topics]
root = mqtt-commander
 
[commands]
volume_up = amixer set Master 10%%+
volume_down = amixer set Master 10%%-
mute = amixer -D pulse set Master 1+ toggle

[status]
volume = amixer -D pulse get Master | awk -F 'Left:|[][]' 'BEGIN {RS=""}{ print $3 }'
uptime = uptime | awk  '{print $3}' | awk -F, '{print $1}'

Broker

This section describes connection to the broker. No rocket science. Just create the certificate for connection to your mqtt broker and provide the certification authority certificate. Insecure connection is not supported right now. 

Topics

This section provides MQTT root topic configuration. 

Commands

This section describes supported commands for particular PC. As obvious, tool does not allow raw command insertion, it only allows actions which are explicitly listed in the commands section and executes strictly defined shell command. 

Feel free to add new commands, these are there just to reflect my usage. 

Status

This section describes status topics published periodically by the script. Again, no command can be injected directly via mqtt, everything is aliased in the configuration file. 

Solution Security

When designing this idea, I wanted to minimize a risk that system would be compromised by remote access. Following security controls are there to mitigate potential risks:

  1. TLS connection & certificate-based access to MQTT broker.
  2. Only strictly defined commands are available and defined by the configuration files. 
    1. Implement only safe commands, which can never harm your activities (e.g. shutdown or reboot is probably one that is not wise)
    2. Do not publish any confidential data via MQTT status topics
  3. Run script under non-root user account to limit access in case that there was a vulnerability in the broker, mqtt stack or anywhere else. Systemd service file violates this suggestion so be careful. 


As usual: I bear no responsibility if wrong usage of this tool leads to data loss, system damage or wrong mood.