[Bug 235653] Re: [SRU] ACL covering all IPv4 addresses is broken in 2.2.1

Charles Lepple clepple at gmail.com
Mon Aug 25 18:01:27 BST 2008

On Fri, Aug 22, 2008 at 6:26 PM, Steve Langasek wrote:
> So since denying appears to be the default, it seems that the only case
> broken by this is giving all IP addresses access to nut.  Is this ever
> really a good idea?  Or have I overlooked some other reason that this
> makes sense?


Sorry to jump in again, but I know that a lot of sysadmins prefer to
centralize their access control rules at the OS level, rather than
deal with the nuances of each application's ACLs. In that situation,
an all-open ACL is acceptable, since the OS (in this case,
iptables/netfilter) would have finer-grained control.

Note also that newer versions of NUT are dropping ACLs in favor of
binding to interfaces (with a failsafe default of not binding to any
interfaces automatically). I believe the rationale was that by binding
to a specific interface, there is no chance for someone to exploit any
potential holes in the NUT ACL code.

Hope that helps.

- Charles Lepple

[SRU] ACL covering all IPv4 addresses is broken in 2.2.1
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nut in ubuntu.

More information about the Ubuntu-server-bugs mailing list