[Nut-upsuser] Install problems (group permissions) with nut 2.7.2

Rob Groner rgroner at RTD.com
Wed Feb 18 21:18:40 UTC 2015


Actually, nevermind....I found an easier way.  This guide is simply going to be the "quick" way to prove the UPS works, and doing it securely will be an exercise left to the user.  As long as I put that in bold letters at the top of the guide, then I don't have a problem just using "-u root" everywhere.

Rob

> -----Original Message-----
> From: Rob Groner
> Sent: Wednesday, February 18, 2015 10:40 AM
> To: 'Charles Lepple'
> Cc: 'nut-upsuser List'
> Subject: RE: [Nut-upsuser] Install problems (group permissions) with nut
> 2.7.2
> 
> Hmmm...well, let's put it this way.  I'm trying to do the "right" thing in regards
> to permissions and access for running NUT and everything involved with it.  I
> note in the installation instructions it says that if you're impatient and want to
> try starting upsd, upsmon, and drivers right now, you can use "-u root", but
> that you should set the correct permissions later!
> 
> I don't fully understand what the correct permissions are, but I had assumed
> that it was the reason I had created ups/nut at the beginning.  If adding "-u
> root" to each command is bad security policy, then I'd like to make sure I use
> a better method.
> 
> I've setup NUT several times, and tried following the directions each time,
> but no matter what I did...I could not get upsdrvctrl to successfully start
> unless I add "-u root" to it (even if I am root when executing the start
> command).  The directions don't indicate to do that, so I've always figured I
> have permissions incorrect somewhere.  Now I'm finally at the point where I
> need to get this right.
> 
> Does this revolve around hotplug and udev?  In other words, is the idea that
> the created USB device will be in the "nut" group, and thus I'd be able to tell
> upsdrvctrl to start if I am user "ups"?   Or do ups/nut not really play into any
> of this?
> 
> Rob
> 
> 
> > -----Original Message-----
> > From: Charles Lepple [mailto:clepple at gmail.com]
> > Sent: Tuesday, February 17, 2015 7:26 PM
> > To: Rob Groner
> > Cc: nut-upsuser List
> > Subject: Re: [Nut-upsuser] Install problems (group permissions) with
> > nut
> > 2.7.2
> >
> > On Feb 17, 2015, at 4:37 PM, Rob Groner <rgroner at RTD.com> wrote:
> >
> > > I had thought that giving the user and the group would mean that the
> > /usr/local/ups/* directories and binaries created by "make install"
> > would have "nut" as their group, but they don't....they have only
> > root:root.  Does the group permissions not get set in these
> > directories upon install?  I thought that was the point of creating the user
> and group in the beginning.
> >
> > If you want to lock down the binaries to only be readable/executable
> > by NUT, you could do that with the group permissions, but since the
> > source code to NUT is available, I'm not sure what that buys you
> > (unless you are applying additional transformations on the binaries after
> installation).
> >
> > The restricted user/group IDs are primarily to limit the amount of
> > damage that can be done if someone finds a bug in upsd, upsmon or the
> driver.
> > These programs give up root permissions (with the exception of the
> > upsmon parent, which calls shutdown), so these are the user/group
> > settings that they will use by default. Also, since the NUT user/group
> > typically does not have write access to USB nodes, we recommend using
> > udev rules to set the permissions for NUT, which has the side effect
> > of preventing other non-root processes from meddling with the UPS.
> >
> > --
> > Charles Lepple
> > clepple at gmail
> >
> >




More information about the Nut-upsuser mailing list