[Bug 235653] Re: [SRU] ACL covering all IPv4 addresses is broken in 2.2.1

Charles Lepple clepple at gmail.com
Wed Aug 27 01:37:20 BST 2008


On Aug 26, 2008, at 8:11 PM, Steve Langasek wrote:

> Hi Charles,
>
> Well, most sysadmins that I know, including the sysadmin that is  
> me :),
> prefer security in depth and don't want an either-or choice between
> application-level and system-level ACLs.

Understood, but at the very least, application-level ACLs are  
probably better handled by something like libwrap, with a common  
syntax, and a more thoroughly-inspected codebase. We don't want to  
lull users into thinking that the NUT ACLs are a complete replacement  
for firewall rules.

>> Note also that newer versions of NUT are dropping ACLs in favor of
>> binding to interfaces (with a failsafe default of not binding to any
>> interfaces automatically). I believe the rationale was that by  
>> binding
>> to a specific interface, there is no chance for someone to exploit  
>> any
>> potential holes in the NUT ACL code.
>
> That's not a meaningful solution for users who want to allow remote  
> access
> from certain addresses and only have one interface.


This is starting to stray from the original issue in this bug  
regarding 2.2.1. I don't want to misrepresent the intentions of the  
rest of the NUT team - do you mind if I quote this message and some  
history on the NUT developer list, and CC you?

-- 
[SRU] ACL covering all IPv4 addresses is broken in 2.2.1
https://bugs.launchpad.net/bugs/235653
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nut in ubuntu.



More information about the Ubuntu-server-bugs mailing list