Nut upsuser - Feb 2015 - Install problems (group permissions) with nut 2.7.2

I am attempting to do a from-scratch install of nut into openSUSE 13.1 so I can
document the steps a customer will need to follow to make nut work with our UPS.
I'm running into the problem I have always run into, which is permissions.

I have created the user "ups" and the group "nut" and made
ups a member of that group.

I executed:   ./configure --with-user=ups --with-group=nut --with-usb --with-dev

Looking at the output, I see that it does recognize that I put a user and group
into the command line arg.

Doing a grep for the user and group, I see that it is present in many places as
"RUN_AS_USER = ups" and "RUN_AS_GROUP = nut"

I then executed a make, and sudo make install.

I had thought that giving the user and the group would mean that the
/usr/local/ups/* directories and binaries created by "make install"
would have "nut" as their group, but they don't....they have only
root:root.  Does the group permissions not get set in these directories upon
install?  I thought that was the point of creating the user and group in the
beginning.



Thank you,

Rob Groner

On Feb 17, 2015, at 4:37 PM, Rob Groner <rgroner at RTD.com> wrote:
> I had thought that giving the user and the group would mean that the
/usr/local/ups/* directories and binaries created by "make install"
would have "nut" as their group, but they don't....they have only
root:root.  Does the group permissions not get set in these directories upon
install?  I thought that was the point of creating the user and group in the
beginning.
If you want to lock down the binaries to only be readable/executable by NUT, you
could do that with the group permissions, but since the source code to NUT is
available, I'm not sure what that buys you (unless you are applying
additional transformations on the binaries after installation).

The restricted user/group IDs are primarily to limit the amount of damage that
can be done if someone finds a bug in upsd, upsmon or the driver. These programs
give up root permissions (with the exception of the upsmon parent, which calls
shutdown), so these are the user/group settings that they will use by default.
Also, since the NUT user/group typically does not have write access to USB
nodes, we recommend using udev rules to set the permissions for NUT, which has
the side effect of preventing other non-root processes from meddling with the
UPS.

-- 
Charles Lepple
clepple at gmail

Hmmm...well, let's put it this way.  I'm trying to do the
"right" thing in regards to permissions and access for running NUT and
everything involved with it.  I note in the installation instructions it says
that if you're impatient and want to try starting upsd, upsmon, and drivers
right now, you can use "-u root", but that you should set the correct
permissions later!

I don't fully understand what the correct permissions are, but I had assumed
that it was the reason I had created ups/nut at the beginning.  If adding
"-u root" to each command is bad security policy, then I'd like to
make sure I use a better method.

I've setup NUT several times, and tried following the directions each time,
but no matter what I did...I could not get upsdrvctrl to successfully start
unless I add "-u root" to it (even if I am root when executing the
start command).  The directions don't indicate to do that, so I've
always figured I have permissions incorrect somewhere.  Now I'm finally at
the point where I need to get this right.

Does this revolve around hotplug and udev?  In other words, is the idea that the
created USB device will be in the "nut" group, and thus I'd be
able to tell upsdrvctrl to start if I am user "ups"?   Or do ups/nut
not really play into any of this?

Rob 

> -----Original Message-----
> From: Charles Lepple [mailto:clepple at gmail.com]
> Sent: Tuesday, February 17, 2015 7:26 PM
> To: Rob Groner
> Cc: nut-upsuser List
> Subject: Re: [Nut-upsuser] Install problems (group permissions) with nut
> 2.7.2
> 
> On Feb 17, 2015, at 4:37 PM, Rob Groner <rgroner at RTD.com> wrote:
> 
> > I had thought that giving the user and the group would mean that the
> /usr/local/ups/* directories and binaries created by "make
install" would
> have "nut" as their group, but they don't....they have only
root:root.  Does
> the group permissions not get set in these directories upon install?  I
thought
> that was the point of creating the user and group in the beginning.
> 
> If you want to lock down the binaries to only be readable/executable by
> NUT, you could do that with the group permissions, but since the source
> code to NUT is available, I'm not sure what that buys you (unless you
are
> applying additional transformations on the binaries after installation).
> 
> The restricted user/group IDs are primarily to limit the amount of damage
> that can be done if someone finds a bug in upsd, upsmon or the driver.
> These programs give up root permissions (with the exception of the upsmon
> parent, which calls shutdown), so these are the user/group settings that
they
> will use by default. Also, since the NUT user/group typically does not have
> write access to USB nodes, we recommend using udev rules to set the
> permissions for NUT, which has the side effect of preventing other non-root
> processes from meddling with the UPS.
> 
> --
> Charles Lepple
> clepple at gmail
> 
>

Actually, nevermind....I found an easier way.  This guide is simply going to be
the "quick" way to prove the UPS works, and doing it securely will be
an exercise left to the user.  As long as I put that in bold letters at the top
of the guide, then I don't have a problem just using "-u root"
everywhere.

Rob
> -----Original Message-----
> From: Rob Groner
> Sent: Wednesday, February 18, 2015 10:40 AM
> To: 'Charles Lepple'
> Cc: 'nut-upsuser List'
> Subject: RE: [Nut-upsuser] Install problems (group permissions) with nut
> 2.7.2
> 
> Hmmm...well, let's put it this way.  I'm trying to do the
"right" thing in regards
> to permissions and access for running NUT and everything involved with it. 
I
> note in the installation instructions it says that if you're impatient
and want to
> try starting upsd, upsmon, and drivers right now, you can use "-u
root", but
> that you should set the correct permissions later!
> 
> I don't fully understand what the correct permissions are, but I had
assumed
> that it was the reason I had created ups/nut at the beginning.  If adding
"-u
> root" to each command is bad security policy, then I'd like to
make sure I use
> a better method.
> 
> I've setup NUT several times, and tried following the directions each
time,
> but no matter what I did...I could not get upsdrvctrl to successfully start
> unless I add "-u root" to it (even if I am root when executing
the start
> command).  The directions don't indicate to do that, so I've always
figured I
> have permissions incorrect somewhere.  Now I'm finally at the point
where I
> need to get this right.
> 
> Does this revolve around hotplug and udev?  In other words, is the idea
that
> the created USB device will be in the "nut" group, and thus
I'd be able to tell
> upsdrvctrl to start if I am user "ups"?   Or do ups/nut not
really play into any
> of this?
> 
> Rob
> 
> 
> > -----Original Message-----
> > From: Charles Lepple [mailto:clepple at gmail.com]
> > Sent: Tuesday, February 17, 2015 7:26 PM
> > To: Rob Groner
> > Cc: nut-upsuser List
> > Subject: Re: [Nut-upsuser] Install problems (group permissions) with
> > nut
> > 2.7.2
> >
> > On Feb 17, 2015, at 4:37 PM, Rob Groner <rgroner at RTD.com>
wrote:
> >
> > > I had thought that giving the user and the group would mean that
the
> > /usr/local/ups/* directories and binaries created by "make
install"
> > would have "nut" as their group, but they don't....they
have only
> > root:root.  Does the group permissions not get set in these
> > directories upon install?  I thought that was the point of creating
the user
> and group in the beginning.
> >
> > If you want to lock down the binaries to only be readable/executable
> > by NUT, you could do that with the group permissions, but since the
> > source code to NUT is available, I'm not sure what that buys you
> > (unless you are applying additional transformations on the binaries
after
> installation).
> >
> > The restricted user/group IDs are primarily to limit the amount of
> > damage that can be done if someone finds a bug in upsd, upsmon or the
> driver.
> > These programs give up root permissions (with the exception of the
> > upsmon parent, which calls shutdown), so these are the user/group
> > settings that they will use by default. Also, since the NUT user/group
> > typically does not have write access to USB nodes, we recommend using
> > udev rules to set the permissions for NUT, which has the side effect
> > of preventing other non-root processes from meddling with the UPS.
> >
> > --
> > Charles Lepple
> > clepple at gmail
> >
> >

Rob -
     As another NUT user, I have run with the user/group and never had a 
problem.  Have you either verified/modified the udev scripts on you 
system to create the ups devices as the correct user, or added your user 
to the group which owns the devices created for the UPS?  If not, nut 
will not be able to open them, and will fail to start . . . On my 
system, the ups is serial connected, and thus I have to add my user to 
the "dialout" group . . .

- Tim

On 02/18/2015 03:18 PM, Rob Groner wrote:
> Actually, nevermind....I found an easier way.  This guide is simply going
to be the "quick" way to prove the UPS works, and doing it securely
will be an exercise left to the user.  As long as I put that in bold letters at
the top of the guide, then I don't have a problem just using "-u
root" everywhere.
>
> Rob
>
>> -----Original Message-----
>> From: Rob Groner
>> Sent: Wednesday, February 18, 2015 10:40 AM
>> To: 'Charles Lepple'
>> Cc: 'nut-upsuser List'
>> Subject: RE: [Nut-upsuser] Install problems (group permissions) with
nut
>> 2.7.2
>>
>> Hmmm...well, let's put it this way.  I'm trying to do the
"right" thing in regards
>> to permissions and access for running NUT and everything involved with
it.  I
>> note in the installation instructions it says that if you're
impatient and want to
>> try starting upsd, upsmon, and drivers right now, you can use "-u
root", but
>> that you should set the correct permissions later!
>>
>> I don't fully understand what the correct permissions are, but I
had assumed
>> that it was the reason I had created ups/nut at the beginning.  If
adding "-u
>> root" to each command is bad security policy, then I'd like to
make sure I use
>> a better method.
>>
>> I've setup NUT several times, and tried following the directions
each time,
>> but no matter what I did...I could not get upsdrvctrl to successfully
start
>> unless I add "-u root" to it (even if I am root when
executing the start
>> command).  The directions don't indicate to do that, so I've
always figured I
>> have permissions incorrect somewhere.  Now I'm finally at the point
where I
>> need to get this right.
>>
>> Does this revolve around hotplug and udev?  In other words, is the idea
that
>> the created USB device will be in the "nut" group, and thus
I'd be able to tell
>> upsdrvctrl to start if I am user "ups"?   Or do ups/nut not
really play into any
>> of this?
>>
>> Rob
>>
>>
>>> -----Original Message-----
>>> From: Charles Lepple [mailto:clepple at gmail.com]
>>> Sent: Tuesday, February 17, 2015 7:26 PM
>>> To: Rob Groner
>>> Cc: nut-upsuser List
>>> Subject: Re: [Nut-upsuser] Install problems (group permissions)
with
>>> nut
>>> 2.7.2
>>>
>>> On Feb 17, 2015, at 4:37 PM, Rob Groner <rgroner at RTD.com>
wrote:
>>>
>>>> I had thought that giving the user and the group would mean
that the
>>> /usr/local/ups/* directories and binaries created by "make
install"
>>> would have "nut" as their group, but they
don't....they have only
>>> root:root.  Does the group permissions not get set in these
>>> directories upon install?  I thought that was the point of creating
the user
>> and group in the beginning.
>>> If you want to lock down the binaries to only be
readable/executable
>>> by NUT, you could do that with the group permissions, but since the
>>> source code to NUT is available, I'm not sure what that buys
you
>>> (unless you are applying additional transformations on the binaries
after
>> installation).
>>> The restricted user/group IDs are primarily to limit the amount of
>>> damage that can be done if someone finds a bug in upsd, upsmon or
the
>> driver.
>>> These programs give up root permissions (with the exception of the
>>> upsmon parent, which calls shutdown), so these are the user/group
>>> settings that they will use by default. Also, since the NUT
user/group
>>> typically does not have write access to USB nodes, we recommend
using
>>> udev rules to set the permissions for NUT, which has the side
effect
>>> of preventing other non-root processes from meddling with the UPS.
>>>
>>> --
>>> Charles Lepple
>>> clepple at gmail
>>>
>>>
>
> _______________________________________________
> Nut-upsuser mailing list
> Nut-upsuser at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/nut-upsuser
-- 
Tim Dawson

972-567-9360