Nut upsuser - Feb 2009 - RFC: Use tcp-wrapper for all connections to upsd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

after some experimenting and digging through the code i found no solution 
how to completely disable access to upsd from specific hosts.
In previous versions (before r1233) it was possible to allow or deny 
access to upsd completely by using ACL, ACCEPT and REJECT entries in 
upsd.conf. As this functionality was removed and tcp-wrappers support was 
introduced i thought it would be possible to use some rules in hosts.allow 
to get the same functionality as before. Unfortunately, thats not the 
case.
Only authenticated commands like SET or INSTCMD are protected by 
tcp-wrappers, all other commands like GET or LIST can be used from 
everywhere by everyone which is IMO a regression.

For me, the right solution would be to protect all incoming connections by 
tcp-wrappers.

What do others think about this?

Kind regards
Joerg

- -- 
The beginning is the most important part of the work.
 				-Plato
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)

iD8DBQFJpnrkSPOsGF+KA+MRAl5qAJ4giiMOPNrSjAnI3p7Fa0NHSLCSbQCgjJBr
kTpLEuSEJJAKdLutFMZxmFE=DBDA
-----END PGP SIGNATURE-----

Citeren Joerg Pulz <Joerg.Pulz op frm2.tum.de>:
> after some experimenting and digging through the code i found no solution
> how to completely disable access to upsd from specific hosts.
On multi-homed servers the LISTEN directive will deal with this, by  
only listening on interfaces from which clients are allowed to  
connect. If this isn't fine grained enough, your firewall will keep  
out unwanted connections much more efficiently than tcp-wrappers (or  
the now obsolete ACL mechanism) ever will.
> In previous versions (before r1233) it was possible to allow or deny
> access to upsd completely by using ACL, ACCEPT and REJECT entries in
> upsd.conf. As this functionality was removed and tcp-wrappers support was
> introduced i thought it would be possible to use some rules in hosts.allow
> to get the same functionality as before. Unfortunately, thats not the
> case.
This is by design.
> Only authenticated commands like SET or INSTCMD are protected by
> tcp-wrappers, all other commands like GET or LIST can be used from
> everywhere by everyone which is IMO a regression.
>
> For me, the right solution would be to protect all incoming connections by
> tcp-wrappers.
Using tcp-wrappers for source address access control alone is a *huge*  
waste of effort, therefor NUT no longer supports this.
> What do others think about this?
The tcp-wrappers support in NUT is only meant to deal with the case  
where you want to allow access for certain users from a specific set  
of machines (for instance, administrative access). This means we  
require the username and password, hence this only works for commands  
that require to be logged into the server.

The previous ACL mechanism was too inefficient (in terms of resources)  
to be really useful in countering attacks on the server. By the time  
the decision to allow or deny a client access was made, most of the  
effort that was needed to process the incoming connection would  
already have been spent, so there really wasn't that much to gain  
anymore (other than restrict clients to see what is going on on the  
server). This is the reason we dropped the ACL mechanism.

Best regards, Arjen
-- 
Please keep list traffic on the list