UPSD.CONF(5) Network UPS Tools (NUT) UPSD.CONF(5)NAMEupsd.conf - Configuration for Network UPS Tools upsd
DESCRIPTION
upsd uses this file to control access to the server and
set some other miscellaneous configuration values. This
file will contain passwords for your upsmon(8) clients, so
keep it secure. Ideally, only the upsd process should be
able to read it.
ACCESS CONTROL CONFIGURATION
ACL name netblock
Define an Access Control List (ACL) called name
that contains the network netblock. The netblock
can be either the old style, such as this for a
traditional "class C":
ACL mynet 192.168.50.0/255.255.255.0
Or, you can use new-style "CIDR format":
ACL mynet 192.168.50.0/24
To just list one host, it would look like one of
these:
ACL mybox 192.168.50.1/255.255.255.255
ACL mybox 192.168.50.1/32
ACLs are used whenever you need to refer to a net-
work or host, such as in ACCESS definitions (below)
and with "allowfrom" in upsd.users(5).
ACCESS action level aclname [password]
Define the access to commands at level level by
clients in the network defined by ACL aclname,
optionally requiring a password password.
The action can be one of three values:
grant - allow the clients to perform commands
at this level.
deny - deny the clients access to commands at
this level.
drop - like deny, but don't even respond to
their query.
The level relates to the complexity of the command.
More important functions like editing variables
inside the UPS require more privileges than merely
checking the status. Each level includes the pow-
ers of the one before it. Here are the valid lev-
els:
base - Allows TCP connections and very simple
queries. Valid commands are VER and HELP.
monitor - "base", plus the ability to fetch
variables from the UPS. Valid commands are LISTRW,
LISTVARS, and REQ.
login - Deprecated. Implies monitor and base.
This is used by old versions of upsmon in slave
mode. Newer versions of upsmon (1.1 and up) that
send usernames are granted access in upsd.users(5).
master - Deprecated. Implies login, monitor
and base. Used by old versions in master mode.
See login above.
all - match any level. This really only
should be used for "drop all all" or similar.
Granting "all" access to any host is not recom-
mended.
The aclname is just one of your ACL definitions, as
explained above.
The password is only used for "login" or "master",
and should not be set for lower access levels.
ACCESS CONTROL EXAMPLES
Here is an example configuration to show some of what is
possible.
- "bigserver" has a UPS attached to a serial port.
It runs the driver, upsd, and upsmon in master mode. This
definition is also referenced with an "allowfrom" in
upsd.users(8).
- "workstation" draws from the same UPS as
"bigserver", but has to monitor it over the network. It
runs upsmon in slave mode. It is also referenced with an
"allowfrom" in upsd.users(8).
- "webserver" doesn't get power from this UPS at all,
but it runs the CGI programs so it can make nice status
displays.
- an abuser is silently dropped
- everyone not yet covered is denied nicely
ACL bigserver 10.20.30.1/32
ACL workstation 10.20.30.2/32
ACL webserver 10.20.30.3/32
ACL abuser 192.168.255.128/32
ACL all 0.0.0.0/0
ACCESS grant monitor bigserver
ACCESS grant monitor workstation
ACCESS grant monitor webserver
ACCESS drop all abuser
ACCESS deny all all
ACCESS CONTROL MATCHING
Access controls should go from most specific to least spe-
cific. The first match with a sufficient access level is
the one used when applying permissions.
Along the same lines, everyone is a member of "all", but
we want to match everything else first so they don't hit
the deny at the bottom.
If you don't have a final "all" match at the bottom, it
will force one for you as a deny. This means that you
have to explicitly add an allow in order to allow the
whole world to have access.
Just think of it as a big repeating "if-then-else" struc-
ture.
OTHER CONFIGURATION DIRECTIVES
MAXAGE seconds
upsd usually allows the data from a driver to go up
to 15 seconds without an update before declaring it
"stale". If your driver can't reliably update the
data that often but is otherwise working, you can
use MAXAGE to make upsd wait longer.
You should only use this if your driver has diffi-
culties keeping the data fresh within the normal 15
second interval. Watch the syslog for notifica-
tions from upsd about staleness.
STATEPATH path
Tell upsd to look for the state files in path
rather than the default that was compiled into the
program.
SEE ALSOupsd(8), nutupsdrv(8), upsd.users(5)
Internet resources:
The NUT (Network UPS Tools) home page:
http://www.exploits.org/nut/
NUT mailing list archives and information:
http://lists.exploits.org/
Wed Oct 16 2002 UPSD.CONF(5)