[Nut-upsuser] upsdevctl is -rwxr-xr-x

Arnaud Quette aquette.dev at gmail.com
Wed Jun 6 11:28:36 UTC 2007


2007/6/6, Steve Adam <steve.adam62 at gmail.com>:
> Hi,
>
> I've installed the debian package of these
> ups tools and everything looks good.
>
> debian:/var/log# upsdrvctl -h
> Network UPS Tools - UPS driver controller 2.0.1
>
> (Though I'll have to wait for a quieter time to pull
> the plug and test it.)
>
> debian:/var/log# ls -l `which upsdrvctl`
> -rwxr-xr-x    1 root     root        18232 Sep 22  2005 /sbin/upsdrvctl
>
> I notice that upsdrvctl is exectuable by anyone.

the same goes for other /sbin binaries... shutdown for example.

> Does that mean that anyone with shell access
> to the server can  "upsdrvctl shutdown"  ?
>
> I'd prefer to restrict execution of that utility
> to root.  Would that cause any problems?

no, there are a number of show stopper that prevent that:
- the config files readability (/etc/nut),
- the devices permissions (only available in RW to root and nut)
- the statedir accessibility
- ...

simply try to launch upsdrvctl start and you will see.

Then you also have all the nut hardening (upsd.users) to protect from
executing commands.
And the SSL things if you want some more (and the chroot'ing too if
you tend to get paranoid)

Note that chmod'ing 550 will have any impact since all actions are
done as root, and then the process fork to the nut user. But to be
coherent you would have to do the same for /lib/nut/*.
The only thing is that you'll lose the ability to use debsum to audit
your system...

Arnaud
-- 
Linux / Unix Expert - MGE UPS SYSTEMS - R&D Dpt
Network UPS Tools (NUT) Project Leader - http://www.networkupstools.org/
Debian Developer - http://people.debian.org/~aquette/
OpenSource Developer - http://arnaud.quette.free.fr/



More information about the Nut-upsuser mailing list