Network UPS Tools User Manual

Network UPS Tools User Manual 46 / 84
9.5.7 Conclusion
SSL support should be considered stable but purposely under-documented since various bits of the implementation or configuration
may change in the future. In other words, if you use this and it stops working after an upgrade, come back to this file to find
out what changed.
This is why the other documentation doesn’t mention any of these directives yet. SSL support is a treat for those of you that
RTFM.
There are also potential licensing issues for people who ship binary packages since NUT is GPL and OpenSSL is not compatible
with it. You can still build and use it yourself, but you can’t distribute the results of it. Or maybe you can. It depends on what
you consider "essential system software", and some other legal junk that we’re not going to touch.
Other packages have solved this by explicitly stating that an exception has been granted. That is (purposely) impossible here,
since NUT is the combined effort of many people, and all of them would have to agree to a license change. This is actually a
feature, since it means nobody can unilaterally run off with the source - not even the NUT team.
Note that the replacement of OpenSSL by Mozilla Network Security Services (NSS) should avoid the above licensing issues.
9.6 chrooting and other forms of paranoia
It has been possible to run the drivers and upsd in a chrooted jail for some time, but it involved a number of evil hacks. From the
1.3 series, a much saner chroot behavior exists, using BIND 9 as an inspiration.
The old way involved creating an entire tree, complete with libraries, a shell (!), and many auxiliary files. This was hard to
maintain and could have become an interesting playground for an intruder. The new way is minimal, and leaves little in the way
of usable materials within the jail.
This document assumes that you already have created at least one user account for the software to use. If you’re still letting it
fall back on "nobody", stop right here and go figure that out first. It also assumes that you have everything else configured and
running happily all by itself.
9.6.1 Generalities
Essentially, you need to create your configuration directory and state path in their own little world, plus a special device or two.
For the purposes of this example, the chroot jail is /chroot/nut. The programs have been built with the default prefix, so they are
using /usr/local/ups. First, create the confpath and bring over a few files.
mkdir -p /chroot/nut/usr/local/ups/etc
cd /chroot/nut/usr/local/ups/etc
cp -a /usr/local/ups/etc/upsd.users .
cp -a /usr/local/ups/etc/upsd.conf .
cp -a /usr/local/ups/etc/ups.conf .
We’re using cp -a to maintain the permissions on those files.
Now bring over your state path, maintaining the same permissions as before.
mkdir -p /chroot/nut/var/state
cp -a /var/state/ups /chroot/nut/var/state
Next we must put /etc/localtime inside the jail, or you may get very strange readings in your syslog. You’ll know you have this
problem if upsd shows up as UTC in the syslog while the rest of the system doesn’t.
mkdir -p /chroot/nut/etc
cp /etc/localtime /chroot/nut/etc
Note that this is not "cp -a", since we want to copy the content, not the symlink that it may be on some systems.
Finally, create a tiny bit of /dev so the programs can enter the background properly - they redirect fds into the bit bucket to make
sure nothing else grabs 0-2.