On Aug 26, 2008, at 8:11 PM, Steve Langasek wrote: > Hi Charles, > > Well, most sysadmins that I know, including the sysadmin that is > me :), > prefer security in depth and don't want an either-or choice between > application-level and system-level ACLs.
Understood, but at the very least, application-level ACLs are probably better handled by something like libwrap, with a common syntax, and a more thoroughly-inspected codebase. We don't want to lull users into thinking that the NUT ACLs are a complete replacement for firewall rules. >> Note also that newer versions of NUT are dropping ACLs in favor of >> binding to interfaces (with a failsafe default of not binding to any >> interfaces automatically). I believe the rationale was that by >> binding >> to a specific interface, there is no chance for someone to exploit >> any >> potential holes in the NUT ACL code. > > That's not a meaningful solution for users who want to allow remote > access > from certain addresses and only have one interface. This is starting to stray from the original issue in this bug regarding 2.2.1. I don't want to misrepresent the intentions of the rest of the NUT team - do you mind if I quote this message and some history on the NUT developer list, and CC you? -- [SRU] ACL covering all IPv4 addresses is broken in 2.2.1 https://bugs.launchpad.net/bugs/235653 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nut in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
