Currently, the package builds nut with default user of uucp. This was introduced in ~2006 (bug 95015), at the point it made sense that some of devices are connected via serial cables, which are owned by uucp. Today, uucp is no longer bundled with the base system, and with the use of devd makes it possible to use much finer grained access control. Therefore, I'd like to propose that we create a dedicated user for nut but keep the ability to specify NUT_USER/NUT_GROUP for those who do not want to migrate.
Created attachment 239514 [details] Change to dedicated UID/GID Can you give this a try, please?
Created attachment 239515 [details] Use this instead Forgot to git add nut-devel prior to commit. Try this one instead.
(In reply to Cy Schubert from comment #2) Thanks! I've tested and the patch worked (except it didn't create the user / group). I think you can add something like: %%% USERS= ${NUT_USER} GROUPS= ${NUT_GROUP} %%% in the Makefile's, so the users would be created at install time? BTW if I was you, I'd probably use '_nut' (or maybe '_ups', which can be used by other UPS related software, just an idea) as the name for both user and group. This indicates that it's an unprivileged system user. This is not currently a strictly followed naming convention in FreeBSD, but I feel it is a good style to avoid conflicting with user's settings, for example, there may be an existing user whose user name was 'nut', after all, it's 3 characters and there is a chance it's already used somewhere.
Created attachment 239516 [details] Also create nut users This patch adds user creation.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=02c038c8cc15469c27b4b8ec24ae8b75d587262f commit 02c038c8cc15469c27b4b8ec24ae8b75d587262f Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2023-01-16 22:00:46 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2023-01-17 21:12:13 +0000 sysutils/nut*: Use a dedicated UID and GID To reduce conflicts with other packages and improve security, avoid using the uucp UID and GID. This avoids potential conflicts with the net/freebsd-uucp port. Users who wish to continue using the uucp user and group may add NUT_USER=uucp and NUT_GROUP=uucp to their make.conf. PR: 268960 Reported by: delphij MFH: 2023Q1 GIDs | 2 +- UIDs | 2 +- UPDATING | 8 ++++++++ sysutils/nut-devel/Makefile | 8 +++++--- sysutils/nut/Makefile | 8 +++++--- 5 files changed, 20 insertions(+), 8 deletions(-)
Add, plz, in UPDATING something like this: if you have USB management UPS, then you need fix permissions on /dev/usb/$cdev: chgrp nut /dev/$cdev or "replug" USB cable.
(In reply to VVD from comment #6) Restarting devd before restarting nut will suffice.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=b11d3d797387ec42bfb6c17d98608a45f50213d1 commit b11d3d797387ec42bfb6c17d98608a45f50213d1 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2023-01-18 01:03:49 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2023-01-18 01:07:57 +0000 UPDATING: Add comment about restarting devd Restarting devd will adjust UPS USB devices to their new UID/GID. This must be performed prior to restarting nut following an upgrade. PR: 268960 Reported by: vvd@unislabs.com Fixes: 02c038c8cc15469c27b4b8ec24ae8b75d587262f UPDATING | 4 ++++ 1 file changed, 4 insertions(+)
One more issue, but with serial UPSes now: Unable to open /dev/cuau0: Permission denied Current user id: nut (316) Serial port owner: uucp (66) Serial port group: dialer (68) Mode of port: 0660 # ls -l /dev/cuau0* crw-rw---- 1 uucp dialer - 0x48 22 янв. 22:51:14 2023 /dev/cuau0 crw-rw---- 1 uucp dialer - 0x49 19 янв. 20:09:43 2023 /dev/cuau0.init crw-rw---- 1 uucp dialer - 0x4a 19 янв. 20:09:43 2023 /dev/cuau0.lock After chown /dev/cuau0*: Can't uu_lock cuau0: creat error: Permission denied # ls -ld /var/spool/lock drwxrwxr-x 2 uucp dialer 3 Jan 22 22:50 /var/spool/lock Probably the solution is to add user nut into group dialer if option SERIAL is on.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=48b7e2243a83011bce087ffb12932579312d0aa3 commit 48b7e2243a83011bce087ffb12932579312d0aa3 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2023-01-23 14:55:15 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2023-01-23 16:31:29 +0000 sysutils/nut*: Fix group for serial UPS users. 02c038c8cc15, though more secure, broke access to serial devices for users of serial UPS devices. Add the nut user to the dialer group. PR: 268960 Reported by: vvd@unislabs.com Fixes: 02c038c8cc15 sysutils/nut-devel/Makefile | 3 ++- sysutils/nut-devel/pkg-post-install (new) | 3 +++ sysutils/nut/Makefile | 4 ++-- sysutils/nut/pkg-post-install (new) | 3 +++ 4 files changed, 10 insertions(+), 3 deletions(-)