Main Inclusion Report for sourcepackage

Requirements

1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/n/nut; available for all supported architectures.

2. Rationale:

   • https://wiki.ubuntu.com/ServerPackageReview

3. Security:

   • CVE entries: none

   • Secunia history: none

   • Any binaries running as root or suid/sgid ? Any daemons ?

     • Restricted to the bare minimum. There are 3 daemons (upsd: data server ; upsmon: events notification and actions ; drivers) and a set of utils. Only 1 upsmon instances (on 2) run as root for being able to shutdown the system. Note that a solution exists to completely avoid root privileges (search for "Completely unprivileged upsmon").

   • Network activity: does it open any port ? Does it handle incoming network data ?
     • Yes. it's a client/server based set of tools. The port (3493) is IANA and /etc/servoces registered.

   • High level source code review performed by JamieStrandboge

     • confirmed that upsd and the ups drivers drop privileges in default installation. They do so in a sane way
     • upsmon is privilege separated in default installation, with the parent reading a single character from the child via a pipe. privilege separation and dropping of privileges done in a sane way

     • bug #182790 has information on further securing nut

     • since the nut tools run with minimal privileges, and has a good security history, there are no huge concerns. That said, a thorough audit for format string vulnerabilities might prove enlightening. The following functions all take a 'fmt' as an argument: upslog_with_errno(), upslogx(), upsdebug_with_errno(), upsdebugx(), vfatal(), fatal_with_errno(), fatalx(). Performing the following will show how many places to start to look to verify 'fmt' is not user-manipulable (there are a lot):

       for i in vupslog upslog_with_errno upslogx upsdebug_with_errno upsdebugx vfatal fatal_with_errno fatalx; do echo $i ; grep -r -c $i ./* | grep -v ':0' | grep '\.c:'; done

4. Quality assurance:

   • In what situations does the package not work out of the box without configuration ?

     • Requires manual configuration as the external hw is not always autodetectable. Upstream has planned improvements on that side.

   • Does the package ask any debconf questions higher than priority 'medium' ?

     • yes but only if upgrading from versions < 2.2.0 for the core package and < 2.0.1 for the nut-cgi package.

   • Debian bugs: Several bugs at different severities.

   • Maintenance in Debian is very calm

   • Upstream is active

   • Hardware: Does this package deal with hardware and if so how exotic is it ?
     • Yes. It deals with external UPS'es. Not extremely exotic. And a must have feature for servers.

5. Standards compliance:

   • FHS, Debian Policy.

     • Package looks FHS compliant, lintian complains on a bunch of things and the nut-dev package doesn't provide shared libraries (only static, but it's planned upstream).
   • Packaging system (debhelper/cdbs/dbs) ? Patch system ? Any packaging oddities ?
     • dpatch (on some versions).

6. Dependencies:

   • Are these all in main ?
     • Build-deps and Depends are all in main.

Reviewers

MIR bug: https://bugs.launchpad.net/182790

The author of this report should put their name here; reviewers will add comments etc. too

FabioMassimoDiNitto ArnaudQuette JamieStrandboge