We release security updates for the following versions:
| Version | Supported |
|---|---|
| main | ✅ |
| dev | ✅ |
This software requires:
- Root access: Necessary for hardware control and systemd service management
- Hardware access: Direct access to PWM control devices
- System integration: Runs as a systemd service with automatic restart
The UCG Max Fan Control system is designed with security and safety in mind:
-
Fail-Safe Operation:
- Activates fans on sensor failures
- Maintains last known safe state during errors
- Emergency mode triggers at critical temperatures
-
Resource Protection:
- Single instance enforcement via PID file
- Atomic file operations to prevent corruption
- Configuration validation with automatic correction
-
Privilege Management:
- Runs as root only when necessary
- Validates hardware access before operations
- Minimal system modifications
-
Input Validation:
- All configuration parameters validated against safe ranges
- Temperature readings validated before use
- PWM values clamped to hardware limits
-
Verify source:
# Clone and inspect before running git clone https://github.com/iceteaSA/unifi-fan-control.git cd unifi-fan-control # Review scripts less fan-control.sh less install.sh # Then install sudo ./install.sh
-
Use checksums (if provided in releases)
-
Install from trusted sources only
-
Protect configuration files:
# Verify permissions ls -la /data/fan-control/config # Should be owned by root sudo chown root:root /data/fan-control/config sudo chmod 644 /data/fan-control/config
-
Review configuration changes:
- Always review changes before applying
- Test configuration changes in safe conditions
- Monitor logs after changes
-
Backup configuration:
# Before making changes sudo cp /data/fan-control/config /data/fan-control/config.backup
-
Regular log review:
# Check for errors or anomalies journalctl -u fan-control.service | grep -E "ERROR|FATAL|ALERT"
-
Monitor temperature trends:
# Ensure temperatures stay in safe ranges journalctl -u fan-control.service -f | grep "TEMP:"
-
Verify state transitions:
# Check for unexpected state changes journalctl -u fan-control.service | grep "STATE:"
Why needed:
- Hardware PWM control requires root access
- Systemd service management requires root
- System-level temperature monitoring requires root
Mitigation:
- Code is open source and auditable
- Minimal system modifications
- Clear logging of all operations
- No network access required
- No external dependencies beyond system tools
Risks:
- Incorrect PWM values could affect hardware
- Sensor failures could lead to thermal issues
Mitigations:
- PWM values validated and clamped
- Emergency override at critical temperatures
- Fail-safe behavior on sensor errors
- Hardware validation on startup
- Hysteresis prevents rapid changes
Access required:
/data/fan-control/- Configuration and state files/sys/class/hwmon/- Hardware control interface/var/run/- PID file/etc/systemd/system/- Service file
Protections:
- Atomic file operations prevent corruption
- Validation before writing
- Error handling for file operations
- Cleanup on service stop
For security vulnerabilities, please report via:
-
GitHub Security Advisories (preferred):
- Go to: https://github.com/iceteaSA/unifi-fan-control/security/advisories
- Click "Report a vulnerability"
-
GitHub Issues (for less critical issues):
- https://github.com/iceteaSA/unifi-fan-control/issues
- Tag with
securitylabel
-
Direct contact (for critical vulnerabilities):
- Create a private security advisory on GitHub
- Or create an issue with minimal details and request private disclosure
When reporting a security vulnerability, please include:
- Description: Clear description of the vulnerability
- Impact: Potential security impact and severity
- Reproduction: Steps to reproduce the issue
- Environment:
- Device model (UCG-Max, UCG-Fibre, etc.)
- UniFi OS version
- Script version/branch
- Proposed fix (if you have one)
- Discoverer: Credit information if desired
- Initial response: Within 48 hours
- Status update: Within 7 days
- Fix timeline: Depends on severity
- Critical: Within 7 days
- High: Within 14 days
- Medium: Within 30 days
- Low: Next regular release
- Coordinated disclosure: We prefer 90 days before public disclosure
- Credit: Security researchers will be credited (if desired)
- Notification: Affected users notified via:
- GitHub Security Advisory
- Release notes
- README update
Security updates will be:
- Released as soon as possible
- Documented in CHANGELOG.md
- Announced via GitHub releases
- Tagged with
securitylabel
To apply security updates:
# Re-run installation (preserves config)
curl -sSL https://raw.githubusercontent.com/iceteaSA/unifi-fan-control/main/install.sh | sudo bash
# Or manual update
cd unifi-fan-control
git pull
sudo ./install.shThis project has minimal dependencies:
bash- Shell interpretersystemd- Service managementubnt-systool- Ubiquiti system tool (temperature reading)- Standard UNIX utilities:
awk,grep,cat, etc.
- No npm packages
- No pip packages
- No compiled dependencies
- No network dependencies
This minimizes supply chain risk.
Users can monitor all fan control operations via systemd journal:
# Complete audit trail
journalctl -u fan-control.service
# All configuration changes
journalctl -u fan-control.service | grep "CONFIG:"
# All state changes
journalctl -u fan-control.service | grep "STATE:"
# All PWM changes
journalctl -u fan-control.service | grep "SET:"
# All errors
journalctl -u fan-control.service | grep "ERROR:"- Downloaded from official GitHub repository
- Reviewed code before installation
- Installed as root with understanding of implications
- Configuration file has proper permissions (644, root-owned)
- Regularly monitoring service logs
- Temperature readings in expected ranges
- No unexpected state transitions
- Keeping software updated
For security-related questions that don't constitute vulnerabilities:
- Open a GitHub discussion
- Create a GitHub issue with
questionlabel - Review existing documentation and issues
Last updated: 2025-11-13
Thank you for helping keep UCG Max Fan Control secure!