Re: [Nut-upsuser] Debian 9 : Can't open /etc/nut/upsd.users: Permission denied
On 12/11/2017 12:57 PM, Roger Price wrote: On Sun, 10 Dec 2017, Jim Klimov wrote: I am not sure the rights offered in that bug are fully ok: generally you wouldn't want the configs to be writable by the service daemon if you can avoid it (so if it's hacked - it can be abused to a lesser extent). I think the only writable bit is the killpower file, which might better belong in /var/run/nut or state-dir or something like that. Maybe something for nut-cgi needs writes? Otherwise root:nut 640 should be good, IMHO. Maybe even different users for server/driver/clients, for paranoid setups... Perhaps a more general review of ownership and permissions would be useful. For example, on my Debian 9 box, command « ls -alF /sbin/ups* » reports -rwxr-xr-x 1 root root 425 Jan 25 2017 /sbin/upsd* -rwxr-xr-x 1 root root 30816 Jan 25 2017 /sbin/upsdrvctl* -rwxr-xr-x 1 root root 429 Jan 25 2017 /sbin/upsmon* -rwxr-xr-x 1 root root 30808 Jan 25 2017 /sbin/upssched* Wouldn't owner root:nut and permissions 750 be better? I'm including below the defaults for the redhat package: [wolfy@wolfy tmp]$ ll /etc/ups/ total 44 -rw-r-. 1 root nut 1538 Jan 3 2017 nut.conf -rw-r-. 1 root nut 4618 Jan 3 2017 ups.conf -rw-r-. 1 root nut 4578 Jan 3 2017 upsd.conf -rw-r-. 1 root nut 2131 Jan 3 2017 upsd.users -rw-r-. 1 root nut 15312 Jan 3 2017 upsmon.conf -rw-r-. 1 root nut 3891 Jan 3 2017 upssched.conf ___ Nut-upsuser mailing list Nut-upsuser@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/nut-upsuser
Re: [Nut-upsuser] Debian 9 : Can't open /etc/nut/upsd.users: Permission denied
On Sun, 10 Dec 2017, Jim Klimov wrote: I am not sure the rights offered in that bug are fully ok: generally you wouldn't want the configs to be writable by the service daemon if you can avoid it (so if it's hacked - it can be abused to a lesser extent). I think the only writable bit is the killpower file, which might better belong in /var/run/nut or state-dir or something like that. Maybe something for nut-cgi needs writes? Otherwise root:nut 640 should be good, IMHO. Maybe even different users for server/driver/clients, for paranoid setups... Perhaps a more general review of ownership and permissions would be useful. For example, on my Debian 9 box, command « ls -alF /sbin/ups* » reports -rwxr-xr-x 1 root root 425 Jan 25 2017 /sbin/upsd* -rwxr-xr-x 1 root root 30816 Jan 25 2017 /sbin/upsdrvctl* -rwxr-xr-x 1 root root 429 Jan 25 2017 /sbin/upsmon* -rwxr-xr-x 1 root root 30808 Jan 25 2017 /sbin/upssched* Wouldn't owner root:nut and permissions 750 be better? Roger___ Nut-upsuser mailing list Nut-upsuser@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/nut-upsuser
Re: [Nut-upsuser] Debian 9 : Can't open /etc/nut/upsd.users: Permission denied
On December 10, 2017 4:55:51 PM GMT+01:00, Roger Pricewrote: >On Sun, 10 Dec 2017, Charles Lepple wrote: > >> Either way, the default permissions are under the packager's control, >so >> I would recommend that you file a bug with Debian: >> https://www.debian.org/Bugs/Reporting (feel free to mention the bug >> number here) > >Debian Bug Tracker told me that the URL is >https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884021. > >Roger > >___ >Nut-upsuser mailing list >Nut-upsuser@lists.alioth.debian.org >http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/nut-upsuser I am not sure the rights offered in that bug are fully ok: generally you wouldn't want the configs to be writable by the service daemon if you can avoid it (so if it's hacked - it can be abused to a lesser extent). I think the only writable bit is the killpower file, which might better belong in /var/run/nut or state-dir or something like that. Maybe something for nut-cgi needs writes? Otherwise root:nut 640 should be good, IMHO. Maybe even different users for server/driver/clients, for paranoid setups... Jim -- Typos courtesy of K-9 Mail on my Android ___ Nut-upsuser mailing list Nut-upsuser@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/nut-upsuser
Re: [Nut-upsuser] Debian 9 : Can't open /etc/nut/upsd.users: Permission denied
On Sun, 10 Dec 2017, Charles Lepple wrote: Either way, the default permissions are under the packager's control, so I would recommend that you file a bug with Debian: https://www.debian.org/Bugs/Reporting (feel free to mention the bug number here) Debian Bug Tracker told me that the URL is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884021. Roger ___ Nut-upsuser mailing list Nut-upsuser@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/nut-upsuser
Re: [Nut-upsuser] Debian 9 : Can't open /etc/nut/upsd.users: Permission denied
On Dec 10, 2017, at 6:10 AM, Roger Pricewrote: > > The nut:nut ownership seems to me to be more natural, and the root:nut > ownership looks like a bug in the Debian package. I would argue it slightly differently: upsd has no need to write to upsd.users (or change permissions on that file), so root:nut makes sense to me, but with group-read permissions enabled. Either way, the default permissions are under the packager's control, so I would recommend that you file a bug with Debian: https://www.debian.org/Bugs/Reporting (feel free to mention the bug number here) ___ Nut-upsuser mailing list Nut-upsuser@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/nut-upsuser