Comment 10 for bug 235653
Revision history for this message
| Charles Lepple (clepple) wrote Re: [Bug 235653] Re: [SRU] ACL covering all IPv4 addresses is broken in 2.2.1 | #10 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
On Fri, Aug 22, 2008 at 6:26 PM, Steve Langasek wrote:
> So since denying appears to be the default, it seems that the only case
> broken by this is giving all IP addresses access to nut. Is this ever
> really a good idea? Or have I overlooked some other reason that this
> makes sense?
Steve,
Sorry to jump in again, but I know that a lot of sysadmins prefer to
centralize their access control rules at the OS level, rather than
deal with the nuances of each application's ACLs. In that situation,
an all-open ACL is acceptable, since the OS (in this case,
iptables/netfilter) would have finer-grained control.
Note also that newer versions of NUT are dropping ACLs in favor of
binding to interfaces (with a failsafe default of not binding to any
interfaces automatically). I believe the rationale was that by binding
to a specific interface, there is no chance for someone to exploit any
potential holes in the NUT ACL code.
Hope that helps.
--
- Charles Lepple