Is it safe to run the MQTT broker as root/administrator

I’m new to the HA ecosystem and community.
I’m currently running Home Assistant OS 64-bit on a Raspberry Pi 4 Model B 4 GB and i’m just curious if that i should be woried about this line in the MQTT broker log: “Warning: Mosquitto should not be run as root/administrator.” or can i just ignore it?

It can open you up to potential security problems. IF someone found an exploit in mosquitto AND that exploit exists on the version you are running, AND they have access to the broker (probably via LAN since I doubt you are port forwarding your MQTT server), THEN they might be able to gain control of your little rpi server since any exploit would potentially now run as root access.

With this, someone could have an entry to your network from the outside to do…whatever with.

It’s a lot of IFs. I don’t think you should worry about it personally. But just saying what “could” happen. Unless you want to debug it, I think you’re fine ignoring it.

1 Like

It’s an important warning. It’s warning you against a bad practice. Accidents and hacks happen. What is preventing you from not running it under a root account?

1 Like

Thank you for your help!
I thought so myself too, but wasn’t sure about it.

Thanks for your reply!
Simply put, i don’t know how to do that, could you point me to the right direction on how to do that? Also it’s the official mqtt broker addon which i have this problem, running on the home assistant os.
Thanks in advance!

It should run under its own mosquitto user by default. Which installation guide did you follow and/or what are the exact commands that you executed? If I know that I could tell you where it went wrong.

Just want to add that I don’t want to make life difficult for you. It is your choice and I’ll try to help where I can. Personally I wouldn’t run any user service under root.

Thank you!
There were no commands used in the process it’s just the official Mosquitto addon.
Used it’s documentation step by step and also made a acl.conf and a accesscontrollist file added those to the share folder with the usernames in it also these username are created in home assistant too.

I think under Home Assistant OS (, and a Home Assistant Supervised installation ), all docker containers run as root. But it is only mosquitto that show this warning.

1 Like

Could you send me a link? My own HA installation is just running HA core in a Python virtual en so it’s a little different.

Also, if you could share any of the configs (just remove any passwords first).

Under which account does your HA instance run?

Is that the preferred/safe option or the only way it can be run?

I think it is the only way.

OK, then it’s probably safe to say @MrSideline’s installation is fine. This is a result then of Docker running as root not as such how mosquitto was installed.

Apologies if I sent anybody on a tangent. Personally it just bothers me to run anything as root unnecessarily.

The reference to addons should’ve alerted me to this being a or supervised installation.


Thank you for your help @francisp and @parautenbach, i appreciate it!

Sorry to open this dead-old thread, but it seems to be still relevant.

I just flashed the latest HA OS onto a nano SD card, plugged it into my Raspberry Pi 4, booted up HA, installed the Mosquitto addon and saw this message in its log:
Mosquitto should not be run as root/administrator

To my understanding, it’s impossible to have this addon executed other than as it is.
Would it make sense and be possible to not show this warning in the log if it is running on HA OS?
Or have I overseen something?

The warning is raised by the Mosquitto MQTT project itself: mosquitto/mosquitto.c at cc1aac336ecbbc251ed4a5126257f6f4fe3ed27c · eclipse/mosquitto · GitHub

There aren’t many practical ways to hide the warning, and even if there were would just be sweeping it under the rug.

Running containers as root is a known bad practice, but not sure what conventions add-on developers are using to mitigate this… I don’t see any standard HASS add-on Dockerfiles running the standard RUN useradd ..., USER <n> pattern, so it’s probably an issue for most add-ons. Or is there something else to take into account here?

For the record, I’m hitting this on a very standard Home Assistant Yellow installation immediately after installing Mosquitto MQTT with no configuration changes.

I think the usual answer is “docker isolation”. But I am certainly no expert.