You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently NUT daemons simply warn about world-readable files with potentially secret data (like upsd.users or upsmon.conf with clear-text passwords, or driver-server socket files).
This proposal is to add an option to enable/disable (eventually enable by default?) aborting daemon startup until such security issues are addressed.
Eventually this should probably include private key files for SSL (although they are protected with a passphrase... stored in NUT config files).
Involve strictness levels, e.g. to also check that no configs/scripts/... are writable by the run-time user account (not only files relevant for the daemon, but all of them since different daemons may run as different accounts)?
Perhaps make some of it a separate pre-flight check program/script that SMF/systemd methods or init scripts can invoke...
Loosely related to #3411 (refusing anonymous reads), and to #3331 and #3329 (as far as requiring that everyone talks SSL, at least when built with NSS or OpenSSL backends that are now equally capable).
Currently NUT daemons simply warn about world-readable files with potentially secret data (like
upsd.usersorupsmon.confwith clear-text passwords, or driver-server socket files).This proposal is to add an option to enable/disable (eventually enable by default?) aborting daemon startup until such security issues are addressed.
nutauth.conffrom Feature request: more NUT clients should be SSL-capable with proper certificate trust and all #3329Loosely related to #3411 (refusing anonymous reads), and to #3331 and #3329 (as far as requiring that everyone talks SSL, at least when built with NSS or OpenSSL backends that are now equally capable).