As a follow-up to the discussion here, libwrap replaces the old NUT ACL
functionality in the upcoming nut-2.4.0 release. This provides
application-level connection filtering using a fairly well-known ACL
syntax.
--
[SRU] ACL covering all IPv4 addresses is broken in 2.2.1
As a follow-up to the discussion here, libwrap replaces the old NUT ACL
functionality in the upcoming nut-2.4.0 release. This provides
application-level connection filtering using a fairly well-known ACL
syntax.
--
[SRU] ACL covering all IPv4 addresses is broken in 2.2.1
On Wed, Aug 27, 2008 at 12:37:20AM -, Charles Lepple wrote:
Well, most sysadmins that I know, including the sysadmin that is
me :),
prefer security in depth and don't want an either-or choice between
application-level and system-level ACLs.
Understood, but at the very least,
On Wed, Aug 27, 2008 at 12:37:20AM -, Charles Lepple wrote:
Well, most sysadmins that I know, including the sysadmin that is
me :),
prefer security in depth and don't want an either-or choice between
application-level and system-level ACLs.
Understood, but at the very least,
Hi there,
2008/8/27 Charles Lepple :
On Aug 26, 2008, at 8:11 PM, Steve Langasek wrote:
...
This is starting to stray from the original issue in this bug
regarding 2.2.1. I don't want to misrepresent the intentions of the
rest of the NUT team - do you mind if I quote this message and some
Hi there,
2008/8/27 Charles Lepple :
On Aug 26, 2008, at 8:11 PM, Steve Langasek wrote:
...
This is starting to stray from the original issue in this bug
regarding 2.2.1. I don't want to misrepresent the intentions of the
rest of the NUT team - do you mind if I quote this message and some
Hi Charles,
Well, most sysadmins that I know, including the sysadmin that is me :),
prefer security in depth and don't want an either-or choice between
application-level and system-level ACLs.
Note also that newer versions of NUT are dropping ACLs in favor of
binding to interfaces (with a
On Aug 26, 2008, at 8:11 PM, Steve Langasek wrote:
Hi Charles,
Well, most sysadmins that I know, including the sysadmin that is
me :),
prefer security in depth and don't want an either-or choice between
application-level and system-level ACLs.
Understood, but at the very least,
Hi Charles,
Well, most sysadmins that I know, including the sysadmin that is me :),
prefer security in depth and don't want an either-or choice between
application-level and system-level ACLs.
Note also that newer versions of NUT are dropping ACLs in favor of
binding to interfaces (with a
On Aug 26, 2008, at 8:11 PM, Steve Langasek wrote:
Hi Charles,
Well, most sysadmins that I know, including the sysadmin that is
me :),
prefer security in depth and don't want an either-or choice between
application-level and system-level ACLs.
Understood, but at the very least,
On Fri, Aug 22, 2008 at 6:26 PM, Steve Langasek wrote:
So since denying appears to be the default, it seems that the only case
broken by this is giving all IP addresses access to nut. Is this ever
really a good idea? Or have I overlooked some other reason that this
makes sense?
Steve,
On Fri, Aug 22, 2008 at 6:26 PM, Steve Langasek wrote:
So since denying appears to be the default, it seems that the only case
broken by this is giving all IP addresses access to nut. Is this ever
really a good idea? Or have I overlooked some other reason that this
makes sense?
Steve,
Hi Chuck,
I have doubts whether this particular bug warrants an update. My
understanding from reading the patch is that the reason the acl fails to
work as intended is not because the sense of the acl is inverted, but
because the acl matches no addresses instead of all addresses.
So since
Hi Chuck,
I have doubts whether this particular bug warrants an update. My
understanding from reading the patch is that the reason the acl fails to
work as intended is not because the sense of the acl is inverted, but
because the acl matches no addresses instead of all addresses.
So since
Impact: Nut was shipped with a bug that causes the reverse intention
when using ipv4 acls. In this case, instead of accepting the connections
it rejects them.
STEPS TO REPRODUCE:
1. See above.
I have attached the debdiff which fixes this issue. If you have any
questions please feel free to
15 matches
Mail list logo