[Nut-upsdev] [nut-Feature Requests][310492] Allow to specify hostnames in ACL (upsd.conf)

Fri Jan 11 11:47:43 UTC 2008

Hi Arjen,

2008/1/7, Arjen de Korte <nut+devel at de-korte.org>:
>
> > Feature Requests item #310492, was opened at 07/01/2008 09:57
> > Status: Open
> > Priority: 3
> > Submitted By: Arnaud Quette (aquette)
> > Assigned to: Nobody (None)
> > Summary: Allow to specify hostnames in ACL (upsd.conf)
> > Category: None
> > Group: None
> >
> >
> > Initial Comment:
> > allow a new ACL form:
> > ACL hostname/mask
> >
> > example:
> > ACL localhost localhost/32
> > or
> > ACL localhost localhost/255.255.255.255
> >
> > This is obviously reserved to names that can be resolved (so host only?)
> >
> >
> > ----------------------------------------------------------------------
> >
> > You can respond by visiting:
> > http://alioth.debian.org/tracker/?func=detail&atid=411545&aid=310492&group_id=30602
>
> The question here is, do we still need ACL's?
>
> In the current implementation, we have done much of the grunt work of
> processing incoming TCP connection, before the ACL's are being processed.
> When it comes to prevent abuse of the NUT server, they won't protect
> against a DOS attack. Since nut-2.0.5 (if memory serves), NUT allows
> control on which adress we *listen* at through the LISTEN directive in
> 'upsd.conf'. On a multihomed server, one can configure to listen only on
> the internal interfaces for instance, without risking exposure to the
> outside world.
>
> For more fine grained (source adress) access control, you'd need a
> firewall anyway (see above). In most (if not all) installations, packet
> filtering (through iptables for instance) will be installed by default,
> which can do a far more efficient job in filtering out unwanted
> connections than we ever can through the ACL's. If a firewall is used, the
> administrator will have to poke a hole in it anyway, to allow incoming
> connections in.
>
> Bottomline is, that I think the ACL's are obsolete and can better be
> replaced by kernel packet filtering rules and/or the LISTEN directive.
> This will surely reduce the burden of setting up the 'upsd' server,
> without sacrifying security (adding additional DNS queries for incoming
> connection will only amplify the effectiveness of DOS attacks, so that is
> another reason why this feature request is not a good idea).
>
> Therefor, I would like to suggest to remove the ACL code from the server
> and change the default LISTEN address (if one is not provided in
> 'upsd.conf') to 127.0.0.1 (IPv4) and/or ::1 (IPv6). This (together with a
> few lines in the UPGRADING file) should be secure enough by default. We
> should probably make this part of nut-2.4.0, to make sure that people are
> not caught off-guard by this change.

seconded for the ACL. A comment about security should also be added
somewhere in the installation doc (for the doc rewrite).

I'm also thinking about simplifying the users definition. Though the
problematic is harder to solve there (PAM + access level
(monitoring/RO or RW/commands). But I've never got time to dig this
part. Any thought?

Arnaud
-- 
Linux / Unix Expert R&D - MGE Office Protection Systems - http://www.mgeops.com
Network UPS Tools (NUT) Project Leader - http://www.networkupstools.org/
Debian Developer - http://people.debian.org/~aquette/
Free Software Developer - http://arnaud.quette.free.fr/