Network UPS Tools User Manual
Network UPS Tools User Manual
Network UPS Tools User Manual
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Network</strong> <strong>UPS</strong> <strong>Tools</strong> <strong>User</strong> <strong>Manual</strong> 38 / 84<br />
9.2 System level privileges and ownership<br />
All configuration files should be protected so that the world can’t read them. Use the following commands to accomplish this:<br />
chown root:nut /etc/nut/*<br />
chmod 640 /etc/nut/*<br />
Finally, the state path directory, which holds the communication between the driver(s) and upsd, should also be secured.<br />
chown root:nut /var/state/ups<br />
chmod 0770 /var/state/ups<br />
9.3 NUT level user privileges<br />
Administrative commands such as setting variables and the instant commands are powerful, and access to them needs to be<br />
restricted.<br />
NUT provides an internal mechanism to do so, through upsd.users(5).<br />
This file defines who may access instant commands and settings, and what is available.<br />
During the initial NUT user creation, we have created a monitoring user for upsmon.<br />
You can also create an administrator user with full power using:<br />
[administrator]<br />
password = mypass<br />
actions = set<br />
instcmds = all<br />
For more information on how to restrict actions and instant commands, refer to upsd.users(5) manual page.<br />
Note<br />
NUT administrative user definitions should be used in conjunction with TCP Wrappers.<br />
9.4 <strong>Network</strong> access control<br />
If you are not using NUT on a standalone setup, you will need to enforce network access to upsd.<br />
There are various ways to do so.<br />
9.4.1 NUT LISTEN directive<br />
upsd.conf(5).<br />
LISTEN interface port<br />
Bind a listening port to the interface specified by its Internet address. This may be useful on hosts with multiple interfaces. You<br />
should not rely exclusively on this for security, as it can be subverted on many systems.<br />
Listen on TCP port port instead of the default value which was compiled into the code. This overrides any value you may have<br />
set with configure --with-port. If you don’t change it with configure or this value, upsd will listen on port 3493 for<br />
this interface.<br />
Multiple LISTEN addresses may be specified. The default is to bind to 127.0.0.1 if no LISTEN addresses are specified (and ::1<br />
if IPv6 support is compiled in).