On Wed, Aug 27, 2008 at 12:37:20AM -0000, Charles Lepple wrote:
> > Well, most sysadmins that I know, including the sysadmin that is
> > me :),
> > prefer security in depth and don't want an either-or choice between
> > application-level and system-level ACLs.
> Understood, but at the very least, application-level ACLs are
> probably better handled by something like libwrap, with a common
> syntax, and a more thoroughly-inspected codebase. We don't want to
> lull users into thinking that the NUT ACLs are a complete replacement
> for firewall rules.
Well, that's fine (though I think any user who concludes that an
application-level ACL implementation is a complete replacement for firewall
rules has really not been paying attention); but I don't think philosophical
points about whether the ACL feature should be used are a very strong
justification for a stable release update.
> > That's not a meaningful solution for users who want to allow remote
> > access from certain addresses and only have one interface.
> This is starting to stray from the original issue in this bug
> regarding 2.2.1. I don't want to misrepresent the intentions of the
> rest of the NUT team - do you mind if I quote this message and some
> history on the NUT developer list, and CC you?
Yes, that's fine.
On Tue, Sep 02, 2008 at 01:14:11PM -0000, Arnaud Quette wrote:
> about the NUT ACL removal, the idea is simply that it's better managed
> by a central system like the firewall, which offers more features in a
> central point.
That is contrary to the best practices security model relied upon by nearly
all network servers. I don't think that's an improvement, really; but
that's fairly off-topic for this bug report.
Anyway, based on the evidence I stand by the conclusion that the impact of
this bug is not severe enough to warrant an SRU; I'm rejecting the upload
from the queue now.
** Changed in: nut (Ubuntu Hardy)
Status: New => Won't Fix
--
[SRU] ACL covering all IPv4 addresses is broken in 2.2.1
https://bugs.launchpad.net/bugs/235653
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nut in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
