Roger Price
2017-Dec-10 15:55 UTC
[Nut-upsuser] Debian 9 : Can't open /etc/nut/upsd.users: Permission denied
On Sun, 10 Dec 2017, Charles Lepple wrote:> Either way, the default permissions are under the packager's control, so > I would recommend that you file a bug with Debian: > https://www.debian.org/Bugs/Reporting (feel free to mention the bug > number here)Debian Bug Tracker told me that the URL is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884021. Roger
Jim Klimov
2017-Dec-10 17:48 UTC
[Nut-upsuser] Debian 9 : Can't open /etc/nut/upsd.users: Permission denied
On December 10, 2017 4:55:51 PM GMT+01:00, Roger Price <roger at rogerprice.org> wrote:>On Sun, 10 Dec 2017, Charles Lepple wrote: > >> Either way, the default permissions are under the packager's control, >so >> I would recommend that you file a bug with Debian: >> https://www.debian.org/Bugs/Reporting (feel free to mention the bug >> number here) > >Debian Bug Tracker told me that the URL is >https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884021. > >Roger > >_______________________________________________ >Nut-upsuser mailing list >Nut-upsuser at lists.alioth.debian.org >http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/nut-upsuserI am not sure the rights offered in that bug are fully ok: generally you wouldn't want the configs to be writable by the service daemon if you can avoid it (so if it's hacked - it can be abused to a lesser extent). I think the only writable bit is the killpower file, which might better belong in /var/run/nut or state-dir or something like that. Maybe something for nut-cgi needs writes? Otherwise root:nut 640 should be good, IMHO. Maybe even different users for server/driver/clients, for paranoid setups... Jim -- Typos courtesy of K-9 Mail on my Android
Roger Price
2017-Dec-11 10:57 UTC
[Nut-upsuser] Debian 9 : Can't open /etc/nut/upsd.users: Permission denied
On Sun, 10 Dec 2017, Jim Klimov wrote:> I am not sure the rights offered in that bug are fully ok: generally you > wouldn't want the configs to be writable by the service daemon if you > can avoid it (so if it's hacked - it can be abused to a lesser extent). > I think the only writable bit is the killpower file, which might better > belong in /var/run/nut or state-dir or something like that. Maybe > something for nut-cgi needs writes? Otherwise root:nut 640 should be > good, IMHO. Maybe even different users for server/driver/clients, for > paranoid setups...Perhaps a more general review of ownership and permissions would be useful. For example, on my Debian 9 box, command ? ls -alF /sbin/ups* ? reports -rwxr-xr-x 1 root root 425 Jan 25 2017 /sbin/upsd* -rwxr-xr-x 1 root root 30816 Jan 25 2017 /sbin/upsdrvctl* -rwxr-xr-x 1 root root 429 Jan 25 2017 /sbin/upsmon* -rwxr-xr-x 1 root root 30808 Jan 25 2017 /sbin/upssched* Wouldn't owner root:nut and permissions 750 be better? Roger
Maybe Matching Threads
- Debian 9 : Can't open /etc/nut/upsd.users: Permission denied
- Debian 9 : Can't open /etc/nut/upsd.users: Permission denied
- Debian 9 : Can't open /etc/nut/upsd.users: Permission denied
- Debian 9 : Can't open /etc/nut/upsd.users: Permission denied
- Nut-upsuser Digest, Vol 231, Issue 4