[Nut-upsuser] Install problems (group permissions) with nut 2.7.2
Charles Lepple
clepple at gmail.com
Wed Feb 18 00:25:47 UTC 2015
On Feb 17, 2015, at 4:37 PM, Rob Groner <rgroner at RTD.com> wrote:
> I had thought that giving the user and the group would mean that the /usr/local/ups/* directories and binaries created by "make install" would have "nut" as their group, but they don't....they have only root:root. Does the group permissions not get set in these directories upon install? I thought that was the point of creating the user and group in the beginning.
If you want to lock down the binaries to only be readable/executable by NUT, you could do that with the group permissions, but since the source code to NUT is available, I'm not sure what that buys you (unless you are applying additional transformations on the binaries after installation).
The restricted user/group IDs are primarily to limit the amount of damage that can be done if someone finds a bug in upsd, upsmon or the driver. These programs give up root permissions (with the exception of the upsmon parent, which calls shutdown), so these are the user/group settings that they will use by default. Also, since the NUT user/group typically does not have write access to USB nodes, we recommend using udev rules to set the permissions for NUT, which has the side effect of preventing other non-root processes from meddling with the UPS.
--
Charles Lepple
clepple at gmail
More information about the Nut-upsuser
mailing list