[nut-Patches][303621] Security NUT. Bad nut user creation
nut-patches at alioth.debian.org
nut-patches at alioth.debian.org
Fri Feb 12 14:27:33 UTC 2010
Patches item #303621, was changed at 2006-07-05 13:18 by Arjen de Korte
You can respond by visiting:
https://alioth.debian.org/tracker/?func=detail&atid=411544&aid=303621&group_id=30602
>Status: Closed
Priority: 3
Submitted By: Jonathan Dion (lyrgard-guest)
Assigned to: Nobody (None)
Summary: Security NUT. Bad nut user creation
Category: None
Group: None
>Resolution: Wont Fix
Initial Comment:
I though of a security problem that could occur is nut's users are badly created.
nut users are means to be used only by the system and shouldn't have a shell. If a nut user happen to log in a shell, he could then read all the config files, including password file and thus know nut's admin password.
I didn't see a warning about that in the documentations or the man pages. I think it should be one, in case someone manually created on his or her system an user who belong to the nut group and let it the possibility to log in a shell.
Just a warning to verify that system's users that belong to the nut group cannot log in a shell will do.
It happened to me, si I think it can happen to someone else.
Perhaps in the script that normally create the nut user and group when they don't exist, if they exist the script should verify this point and at least show a warning if needed.
----------------------------------------------------------------------
>Comment By: Arjen de Korte (adkorte-guest)
Date: 2010-02-12 15:27
Message:
This is something that should be fixed by packagers. The documentation we provide suggests safe settings, we can't do anything about it if people don't follow this advice.
----------------------------------------------------------------------
You can respond by visiting:
https://alioth.debian.org/tracker/?func=detail&atid=411544&aid=303621&group_id=30602
More information about the NUT-tracker
mailing list