Bug 81524 - [PATCH] NUT runs as 'nobody' - requires 'nobody' be given privs
[PATCH] NUT runs as 'nobody' - requires 'nobody' be given privs
Product: Red Hat Raw Hide
Classification: Retired
Component: nut (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ngo Than
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2003-01-09 22:34 EST by Andrew Bartlett
Modified: 2007-04-18 12:49 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-02-11 17:54:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to correct these issues (2.30 KB, patch)
2003-01-09 23:03 EST, Andrew Bartlett
no flags Details | Diff

  None (edit)
Description Andrew Bartlett 2003-01-09 22:34:04 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.6 (X11; Linux i686; U;) Gecko/20020913

Description of problem:
The NUT UPS tools require that the 'nobody' user - used for various untrusted
servies to prevent breakin - be given privilages.

In pariticular NUT requires thet the serial line be owned or group writeable by
this untrusted user.  

Instead, NUT should be configured to use it's own user (preventing 
a malicious 'nobody' program from killing it etc) and be group 'uucp'
for access to the serial line

(This will allow the UPS to function with just config file setup, not
changes to /dev)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install NUT
2. Configure
3. Attempt to start

Actual Results:  NUT reqesting that an unprivaged user, used by programs that
want to
give up privilages, be given privages that would allow (say) a mallilous poweroff

Expected Results:  NUT to function with existing permissions

Additional info:

Once I fixed the spec file (as per patch) it works quite well.

Patch also corrects an issue at shutdown - the OPTIONS is not used.
Comment 1 Andrew Bartlett 2003-01-09 23:03:48 EST
Created attachment 89278 [details]
Patch to correct these issues

This patch corrects the issues mentioned in this bug.

The patch is slightly munged - I removed the uid number for the 'ups' user.  
Please replace ??? with a validly allocated UID.

Andrew Bartlett
Comment 2 Ngo Than 2003-02-11 17:54:42 EST
1.2.0-5 has this fix. Thanks for your infos.

bbrock: could you please test it again, if it's really fixed. I don't have
hardware for testing. Thanks

Note You need to log in before you can comment on or make changes to this bug.