rabbitmq-plugins always executing as root

[arshad01]

Describe the bug

Hello

I am currently using RabbitMQ 4.1.0 on Rocky8. One thing I am noticing is that all cli tools except the rabbitmq-plugins execute as the user rabbitmq. rabbitmq-plugins seems to be running as root. One way to check is to add a LOG trace on port 25672 using iptables. For example:

iptables -t raw -A OUTPUT -p tcp --dport 25672 -j LOG --log-prefix "OUT_PACKET: " --log-uid

Then run a rabbitmq-plugins command:

rabbitmq-plugins list

The packets coming to port 25672 have uid=0 and gid=0

[Dec 2 04:56] OUT_PACKET: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26366 DF PROTO=TCP SPT=44458 DPT=25672 WINDOW=43690 RES=0x00 SYN URGP=0 UID=0 GID=0
[  +1.012843] OUT_PACKET: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26367 DF PROTO=TCP SPT=44458 DPT=25672 WINDOW=43690 RES=0x00 SYN URGP=0 UID=0 GID=0
[  +0.015842] OUT_PACKET: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48946 DF PROTO=TCP SPT=44462 DPT=25672 WINDOW=43690 RES=0x00 SYN URGP=0 UID=0 GID=0
[  +1.007140] OUT_PACKET: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48947 DF PROTO=TCP SPT=44462 DPT=25672 WINDOW=43690 RES=0x00 SYN URGP=0 UID=0 GID=0

Any other tool like rabbitmqctl shows the packets with uid=rabbitmq

Is this an expected behavior of rabbitmq-plugins?

Thanks

Reproduction steps

1. iptables -t raw -A OUTPUT -p tcp --dport 25672 -j LOG --log-prefix "OUT_PACKET: " --log-uid
2. rabbitmq-plugins list
3. dmesg -wH

Expected behavior

rabbitmq-plugins should run as user rabbitmq

Additional context

The reason it is an issue for me is because I have iptables rules on OUTPUT chain to allow only rabbitmq user to connect to port 25672 and reject all other user including root.

[michaelklishin]

@arshad01 please never again file issues for questions.

rabbitmq-plugins does not have to run as root but RPM and Debian packages can be more opinionated. rabbitmq-plugins needs to modify local files, and depending on how RabbitMQ was installed, the package may choose to use higher privileges.

[arshad01]

Thanks for the reply @michaelklishin and apologies for filing the question as issue.