Re: [Nut-upsuser] Debian 9 : Can't open /etc/nut/upsd.users: Permission denied

[Manuel Wolfshant]

On 12/11/2017 12:57 PM, Roger Price wrote:

On Sun, 10 Dec 2017, Jim Klimov wrote:

I am not sure the rights offered in that bug are fully ok: generally 
you wouldn't want the configs to be writable by the service daemon if 
you can avoid it (so if it's hacked - it can be abused to a lesser 
extent). I think the only writable bit is the killpower file, which 
might better belong in /var/run/nut or state-dir or something like 
that. Maybe something for nut-cgi needs writes? Otherwise root:nut 
640 should be good, IMHO. Maybe even different users for 
server/driver/clients, for paranoid setups...


Perhaps a more general review of ownership and permissions would be 
useful.  For example, on my Debian 9 box, command « ls -alF /sbin/ups* 
» reports


  -rwxr-xr-x 1 root root   425 Jan 25  2017 /sbin/upsd*
  -rwxr-xr-x 1 root root 30816 Jan 25  2017 /sbin/upsdrvctl*
  -rwxr-xr-x 1 root root   429 Jan 25  2017 /sbin/upsmon*
  -rwxr-xr-x 1 root root 30808 Jan 25  2017 /sbin/upssched*

Wouldn't owner root:nut and permissions 750 be better? 


I'm including below the defaults for the redhat package:

[wolfy@wolfy tmp]$ ll /etc/ups/
total 44
-rw-r-. 1 root nut  1538 Jan  3  2017 nut.conf
-rw-r-. 1 root nut  4618 Jan  3  2017 ups.conf
-rw-r-. 1 root nut  4578 Jan  3  2017 upsd.conf
-rw-r-. 1 root nut  2131 Jan  3  2017 upsd.users
-rw-r-. 1 root nut 15312 Jan  3  2017 upsmon.conf
-rw-r-. 1 root nut  3891 Jan  3  2017 upssched.conf



___
Nut-upsuser mailing list
Nut-upsuser@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/nut-upsuser

Re: [Nut-upsuser] Debian 9 : Can't open /etc/nut/upsd.users: Permission denied

[Roger Price]

On Sun, 10 Dec 2017, Jim Klimov wrote:

I am not sure the rights offered in that bug are fully ok: generally you 
wouldn't want the configs to be writable by the service daemon if you 
can avoid it (so if it's hacked - it can be abused to a lesser extent). 
I think the only writable bit is the killpower file, which might better 
belong in /var/run/nut or state-dir or something like that. Maybe 
something for nut-cgi needs writes? Otherwise root:nut 640 should be 
good, IMHO. Maybe even different users for server/driver/clients, for 
paranoid setups...


Perhaps a more general review of ownership and permissions would be 
useful.  For example, on my Debian 9 box, command « ls -alF /sbin/ups* » 
reports


  -rwxr-xr-x 1 root root   425 Jan 25  2017 /sbin/upsd*
  -rwxr-xr-x 1 root root 30816 Jan 25  2017 /sbin/upsdrvctl*
  -rwxr-xr-x 1 root root   429 Jan 25  2017 /sbin/upsmon*
  -rwxr-xr-x 1 root root 30808 Jan 25  2017 /sbin/upssched*

Wouldn't owner root:nut and permissions 750 be better?

Roger___
Nut-upsuser mailing list
Nut-upsuser@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/nut-upsuser

Re: [Nut-upsuser] Debian 9 : Can't open /etc/nut/upsd.users: Permission denied

[Jim Klimov]

On December 10, 2017 4:55:51 PM GMT+01:00, Roger Price  
wrote:
>On Sun, 10 Dec 2017, Charles Lepple wrote:
>
>> Either way, the default permissions are under the packager's control,
>so 
>> I would recommend that you file a bug with Debian: 
>> https://www.debian.org/Bugs/Reporting (feel free to mention the bug 
>> number here)
>
>Debian Bug Tracker told me that the URL is
>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884021.
>
>Roger
>
>___
>Nut-upsuser mailing list
>Nut-upsuser@lists.alioth.debian.org
>http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/nut-upsuser

I am not sure the rights offered in that bug are fully ok: generally you 
wouldn't want the configs to be writable by the service daemon if you can avoid 
it (so if it's hacked - it can be abused to a lesser extent). I think the only 
writable bit is the killpower file, which might better belong in /var/run/nut 
or state-dir or something like that. Maybe something for nut-cgi needs writes? 
Otherwise root:nut 640 should be good, IMHO. Maybe even different users for 
server/driver/clients, for paranoid setups...

Jim
--
Typos courtesy of K-9 Mail on my Android

___
Nut-upsuser mailing list
Nut-upsuser@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/nut-upsuser

Re: [Nut-upsuser] Debian 9 : Can't open /etc/nut/upsd.users: Permission denied

[Roger Price]

On Sun, 10 Dec 2017, Charles Lepple wrote:

Either way, the default permissions are under the packager's control, so 
I would recommend that you file a bug with Debian: 
https://www.debian.org/Bugs/Reporting (feel free to mention the bug 
number here)


Debian Bug Tracker told me that the URL is
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884021.

Roger

___
Nut-upsuser mailing list
Nut-upsuser@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/nut-upsuser

Re: [Nut-upsuser] Debian 9 : Can't open /etc/nut/upsd.users: Permission denied

[Charles Lepple]

On Dec 10, 2017, at 6:10 AM, Roger Price  wrote:
> 
> The nut:nut ownership seems to me to be more natural, and the root:nut 
> ownership looks like a bug in the Debian package.

I would argue it slightly differently: upsd has no need to write to upsd.users 
(or change permissions on that file), so root:nut makes sense to me, but with 
group-read permissions enabled.

Either way, the default permissions are under the packager's control, so I 
would recommend that you file a bug with Debian: 
https://www.debian.org/Bugs/Reporting (feel free to mention the bug number here)
___
Nut-upsuser mailing list
Nut-upsuser@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/nut-upsuser