Apcupsd Security Issues

  • apcupsd runs as root.
  • If you have NETSERVER on in your apcupsd.conf file, be aware that anyone on the network can read the status of your UPS. This may or may not pose a problem. If you don't consider this information privileged, as is the case for me, there is little risk. In addition, if you have a firewall between your servers and the Internet, hackers will not have access to your UPS information. Additionally, you can restrict who can access your apcupsd server by using the INETD services and using access control lists with a TCP wrapper or by configuring TCP wrappers in apcupsd (see below for TCP Wrapper details).
  • If you are running master/slave networking with a single UPS powering multiple machines, be aware that it is possible for someone to simulate the master and send a shutdown request to your slaves. The slaves do check that the network address of the machine claiming to be the master is that same as the address returned by DNS corresponding to the name of the master as specified in your configuration file.

TCP Wrappers

As of apcupsd version 3.8.2, TCP Wrappers are implemented if you turn them on when configuring (./configure --with-libwrap). With this code enabled, you may control who may access your apcupsd via TCP connections (the Network Information Server, and the Master/Slave code). This control is done by modifying the file: /etc/hosts.allow. This code is implemented but untested. If you use it, please send us some feedback.