[Nut-upsdev] ACLs, binding to an interface, and libwrap
Charles Lepple
clepple at gmail.com
Wed Sep 3 04:04:26 UTC 2008
All,
There was some discussion recently on Ubuntu Launchpad regarding the
bug in NUT 2.2.1 where it was not possible to connect with an accept-
all ACL:
https://bugs.launchpad.net/bugs/235653
The package was patched for the upcoming Ubuntu release (intrepid),
but the discussion drifted to the merits of application-level ACLs
(comment 11 and beyond).
Steve Langasek brings up a good point about "security in depth,"
citing a case where binding to an interface isn't granular enough,
but I still tend to agree with Arjen and Arnaud that ACLs are better
handled by a central firewall.
As a second layer of defense, how do you all feel about the "TCP
wrappers" functionality in libwrap? As I understand it, the
hosts.allow and hosts.deny files offer the same level of granularity
that the NUT ACL functionality provided, but with the advantage of a
more well-known (and hopefully well-scrutinized) codebase.
Many Linux distributions have shipped libwrap for years, and it
should be fairly easy to stub out the glue code if people do not want
to bother with libwrap.
Thoughts?
--
Charles Lepple
clepple at gmail
More information about the Nut-upsdev
mailing list