1
.TH UPSD.CONF 5 "Mon Mar 4 2002" "" "Network UPS Tools (NUT)"
1
.TH UPSD.CONF 5 "Mon Jul 14 2003" "" "Network UPS Tools (NUT)"
3
3
upsd.conf \- Configuration for Network UPS Tools upsd
7
7
upsd uses this file to control access to the server and set some other
8
miscellaneous configuration values. This file will contain passwords
9
for your \fBupsmon\fR(8) clients, so keep it secure. Ideally, only the
10
upsd process should be able to read it.
8
miscellaneous configuration values. This file contains details on
9
access controls, so keep it secure. Ideally, only the upsd process
10
should be able to read it.
12
12
.SH ACCESS CONTROL CONFIGURATION
45
44
deny - deny the clients access to commands at this level.
47
drop - like deny, but don't even respond to their query.
49
46
The \fIlevel\fR relates to the complexity of the command. More
50
47
important functions like editing variables inside the UPS require more
51
48
privileges than merely checking the status. Each level includes the
52
49
powers of the one before it. Here are the valid levels:
54
base - Allows TCP connections and very simple queries. Valid
55
commands are VER and HELP.
57
monitor - "base", plus the ability to fetch variables from the
58
UPS. Valid commands are LISTRW, LISTVARS, and REQ.
60
login - "monitor", plus the LOGIN command to let the master
61
\fBupsmon\fR(8) process know how many slaves are connected.
63
master - "login", plus extra powers for the master
64
\fBupsmon\fR(8) process. MASTER is allowed so upsmon can check its
65
privileges, and FSD allows it to set the "forced shutdown" flag on any
68
manager - "master", plus variable setting and instant commands.
69
Deprecated, and included here for backwards compatibility with older
70
clients. Newer clients use a username + password scheme, and their
71
access is controlled by \fBupsd.users\fR(5).
51
base - Allows TCP connections and very simple queries. You
52
will probably never need to use this level. One possible use would be a
53
program that connects to a port to verify that a service is running.
55
monitor - This adds the ability to request information like the
56
current value of different variables. This is the level you should use
73
59
all - match any level. This really only should be used for
74
"drop all all" or similar. Granting "all" access to any host is not
60
"deny all all" or similar. Granting "all" access to any host is not
77
63
The \fIaclname\fR is just one of your ACL definitions, as explained
80
Finally, the \fIpassword\fR is optional, and only applies to the higher
81
level functions. The client is required to send this password to the
82
server before any "login", "master", or "manager" level commands will
85
66
.SH ACCESS CONTROL EXAMPLES
87
68
Here is an example configuration to show some of what is possible.
89
- "server" has a UPS attached to a serial port. It runs the
90
model driver, upsd, and upsmon in master mode. The password is
70
- "bigserver" has a UPS attached to a serial port. It runs the
71
driver, upsd, and upsmon in master mode. This definition is
72
also referenced with an "allowfrom" in \fBupsd.users\fR(8).
93
- "workstation" draws from the same UPS as "server", but has to monitor
94
it over the network. It runs upsmon in slave mode. The password is
74
- "workstation" draws from the same UPS as "bigserver", but has
76
it over the network. It runs upsmon in slave mode. It is also
77
referenced with an "allowfrom" in \fBupsd.users\fR(8).
97
79
- "webserver" doesn't get power from this UPS at all, but it
98
80
runs the CGI programs so it can make nice status displays.
100
- an abuser is silently dropped
82
- an abuser is explicitly denied
102
84
- everyone not yet covered is denied nicely
106
ACL server 10.20.30.1/32
88
ACL bigserver 10.20.30.1/32
107
89
ACL workstation 10.20.30.2/32
108
90
ACL webserver 10.20.30.3/32
109
91
ACL abuser 192.168.255.128/32
112
ACCESS grant master server magicpass
113
ACCESS grant login workstation anotherpass
94
ACCESS grant monitor bigserver
95
ACCESS grant monitor workstation
114
96
ACCESS grant monitor webserver
115
ACCESS drop all abuser
97
ACCESS deny all abuser
116
98
ACCESS deny all all
127
109
match everything else first so they don't hit the deny at the bottom.
129
111
If you don't have a final "all" match at the bottom, it will force one
130
for you as a deny. So, if you want the whole world to have access, add
131
an explicit allow for it. Think of it as a big repeating "if-then-else"
134
.SH ACCESS CONTROL: POTENTIAL PROBLEMS TO AVOID
136
You can get into a bit of trouble if things are defined out of order.
137
Take the following example:
141
ACCESS grant master myhost pass2
142
ACCESS grant login myhost pass1
146
That looks fine at a glance, but will cause problems whenever someone
147
on "myhost" tries to do login functions with password "pass1". The
148
reason is that the first line encountered matches the host *and* has
149
sufficient access for the task at hand, so it uses the password
150
on that line (pass2) and fails.
152
The solution is to put the most powerful lines last, so they don't
157
ACCESS grant login myhost pass1
158
ACCESS grant master myhost pass2
162
This way, the manager functions miss the first line entirely and
163
instead match the second one, which has the right password.
112
for you as a deny. This means that you have to explicitly add an allow
113
in order to allow the whole world to have access.
115
Just think of it as a big repeating "if-then-else" structure.
165
117
.SH OTHER CONFIGURATION DIRECTIVES
167
119
.IP "MAXAGE \fIseconds\fR"
169
upsd usually allows the data from a driver to go up to 15 seconds
170
without an update before declaring it "stale". If your driver can't
171
reliably update the data that often but is otherwise working, you can
172
use MAXAGE to make upsd wait longer.
121
upsd usually allows a driver to stop responding for up to 15 seconds
122
before declaring the data "stale". If your driver takes a very long
123
time to process updates but is otherwise operational, you can use MAXAGE
124
to make upsd wait longer.
174
You should only use this if your model program has difficulties keeping
175
the data fresh within the normal 15 second interval. Watch the syslog
176
for notifications from upsd about staleness.
126
Most users should leave this at the default value.
178
128
.IP "STATEPATH \fIpath\fR"
180
Tell upsd to look for the state files in \fIpath\fR rather than the
181
default that was compiled into the program.
130
Tell upsd to look for the driver state sockets in \fIpath\fR rather
131
than the default that was compiled into the program.
184
134
\fBupsd\fR(8), \fBnutupsdrv\fR(8), \fBupsd.users\fR(5)
186
136
.SS Internet resources:
187
The NUT (Network UPS Tools) home page: http://www.exploits.org/nut/
189
NUT mailing list archives and information: http://lists.exploits.org/
137
The NUT (Network UPS Tools) home page: http://www.networkupstools.org/