[Nut-upsuser] Install problems (group permissions) with nut 2.7.2
rgroner at RTD.com
Wed Feb 18 15:40:29 UTC 2015
Hmmm...well, let's put it this way. I'm trying to do the "right" thing in regards to permissions and access for running NUT and everything involved with it. I note in the installation instructions it says that if you're impatient and want to try starting upsd, upsmon, and drivers right now, you can use "-u root", but that you should set the correct permissions later!
I don't fully understand what the correct permissions are, but I had assumed that it was the reason I had created ups/nut at the beginning. If adding "-u root" to each command is bad security policy, then I'd like to make sure I use a better method.
I've setup NUT several times, and tried following the directions each time, but no matter what I did...I could not get upsdrvctrl to successfully start unless I add "-u root" to it (even if I am root when executing the start command). The directions don't indicate to do that, so I've always figured I have permissions incorrect somewhere. Now I'm finally at the point where I need to get this right.
Does this revolve around hotplug and udev? In other words, is the idea that the created USB device will be in the "nut" group, and thus I'd be able to tell upsdrvctrl to start if I am user "ups"? Or do ups/nut not really play into any of this?
> -----Original Message-----
> From: Charles Lepple [mailto:clepple at gmail.com]
> Sent: Tuesday, February 17, 2015 7:26 PM
> To: Rob Groner
> Cc: nut-upsuser List
> Subject: Re: [Nut-upsuser] Install problems (group permissions) with nut
> On Feb 17, 2015, at 4:37 PM, Rob Groner <rgroner at RTD.com> wrote:
> > I had thought that giving the user and the group would mean that the
> /usr/local/ups/* directories and binaries created by "make install" would
> have "nut" as their group, but they don't....they have only root:root. Does
> the group permissions not get set in these directories upon install? I thought
> that was the point of creating the user and group in the beginning.
> If you want to lock down the binaries to only be readable/executable by
> NUT, you could do that with the group permissions, but since the source
> code to NUT is available, I'm not sure what that buys you (unless you are
> applying additional transformations on the binaries after installation).
> The restricted user/group IDs are primarily to limit the amount of damage
> that can be done if someone finds a bug in upsd, upsmon or the driver.
> These programs give up root permissions (with the exception of the upsmon
> parent, which calls shutdown), so these are the user/group settings that they
> will use by default. Also, since the NUT user/group typically does not have
> write access to USB nodes, we recommend using udev rules to set the
> permissions for NUT, which has the side effect of preventing other non-root
> processes from meddling with the UPS.
> Charles Lepple
> clepple at gmail
More information about the Nut-upsuser