[Bug 235653] Re: [SRU] ACL covering all IPv4 addresses is broken in 2.2.1

Steve Langasek steve.langasek at canonical.com
Tue Sep 16 19:06:50 BST 2008


On Wed, Aug 27, 2008 at 12:37:20AM -0000, Charles Lepple wrote:
> > Well, most sysadmins that I know, including the sysadmin that is  
> > me :),
> > prefer security in depth and don't want an either-or choice between
> > application-level and system-level ACLs.

> Understood, but at the very least, application-level ACLs are  
> probably better handled by something like libwrap, with a common  
> syntax, and a more thoroughly-inspected codebase. We don't want to  
> lull users into thinking that the NUT ACLs are a complete replacement  
> for firewall rules.

Well, that's fine (though I think any user who concludes that an
application-level ACL implementation is a complete replacement for firewall
rules has really not been paying attention); but I don't think philosophical
points about whether the ACL feature should be used are a very strong
justification for a stable release update.

> > That's not a meaningful solution for users who want to allow remote  
> > access from certain addresses and only have one interface.

> This is starting to stray from the original issue in this bug  
> regarding 2.2.1. I don't want to misrepresent the intentions of the  
> rest of the NUT team - do you mind if I quote this message and some  
> history on the NUT developer list, and CC you?

Yes, that's fine.

On Tue, Sep 02, 2008 at 01:14:11PM -0000, Arnaud Quette wrote:

> about the NUT ACL removal, the idea is simply that it's better managed
> by a central system like the firewall, which offers more features in a
> central point.

That is contrary to the best practices security model relied upon by nearly
all network servers.  I don't think that's an improvement, really; but
that's fairly off-topic for this bug report.

Anyway, based on the evidence I stand by the conclusion that the impact of
this bug is not severe enough to warrant an SRU; I'm rejecting the upload
from the queue now.

** Changed in: nut (Ubuntu Hardy)
       Status: New => Won't Fix

-- 
[SRU] ACL covering all IPv4 addresses is broken in 2.2.1
https://bugs.launchpad.net/bugs/235653
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nut in ubuntu.



More information about the Ubuntu-server-bugs mailing list