On Sun, 10 Dec 2017, Jim Klimov wrote:
I am not sure the rights offered in that bug are fully ok: generally you
wouldn't want the configs to be writable by the service daemon if you
can avoid it (so if it's hacked - it can be abused to a lesser extent).
I think the only writable bit is the killpower file, which might better
belong in /var/run/nut or state-dir or something like that. Maybe
something for nut-cgi needs writes? Otherwise root:nut 640 should be
good, IMHO. Maybe even different users for server/driver/clients, for
paranoid setups...
Perhaps a more general review of ownership and permissions would be
useful. For example, on my Debian 9 box, command « ls -alF /sbin/ups* »
reports
-rwxr-xr-x 1 root root 425 Jan 25 2017 /sbin/upsd*
-rwxr-xr-x 1 root root 30816 Jan 25 2017 /sbin/upsdrvctl*
-rwxr-xr-x 1 root root 429 Jan 25 2017 /sbin/upsmon*
-rwxr-xr-x 1 root root 30808 Jan 25 2017 /sbin/upssched*
Wouldn't owner root:nut and permissions 750 be better?
Roger
_______________________________________________
Nut-upsuser mailing list
Nut-upsuser@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/nut-upsuser