aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark Johnston <markj@FreeBSD.org>2024-06-11 15:39:25 +0000
committerMark Johnston <markj@FreeBSD.org>2024-06-20 15:06:45 +0000
commit2fe130f50f2756a3e31af2badd38a4c1746166d7 (patch)
treea96aebf61608e4039f8add457194a279949c1dc5
parentd649ff858b46a52a9f6f3bdb6a038158d1dab8a7 (diff)
net-mgmt/net-snmp: Make snmpd and snmptrapd drop privileges by default
Now that we have a better idea of what problems can arise with this change, let's try again, this time providing better documentation and some troubleshooting steps. Approved by: zi Sponsored by: Klara, Inc. Sponsored by: Stormshield
-rw-r--r--UPDATING14
-rw-r--r--net-mgmt/net-snmp/Makefile2
-rw-r--r--net-mgmt/net-snmp/files/snmpd.in17
-rw-r--r--net-mgmt/net-snmp/files/snmptrapd.in10
4 files changed, 32 insertions, 11 deletions
diff --git a/UPDATING b/UPDATING
index e5c1d67e5baf..cd95246f6aa0 100644
--- a/UPDATING
+++ b/UPDATING
@@ -5,6 +5,20 @@ they are unavoidable.
You should get into the habit of checking this file for changes each time
you update your ports collection, before attempting any port upgrades.
+20240620:
+ AFFECTS: net-mgmt/net-snmp
+ AUTHOR: markj@FreeBSD.org
+
+ The snmpd and snmptrapd daemons now drop privileges by default when started
+ using the rc scripts provided in the package. Make sure that snmpd
+ configuration in /usr/local/share/snmp is readable by the "snmpd" user. If
+ you have defined extension scripts in snmpd.conf, make sure that they can be
+ executed by an unprivileged user. To revert to the old behavior of always
+ running as root, set snmpd_sugid="NO" or snmptrapd_sugid="NO" in /etc/rc.conf.
+
+ See the snmpd rc script for a hint on how to debug any permission problems
+ that might arise as a result of this change.
+
20240615:
AFFECTS: mail/cyrus-imapd25
AUTHOR: ume@FreeBSD.org
diff --git a/net-mgmt/net-snmp/Makefile b/net-mgmt/net-snmp/Makefile
index 305576e6cbd5..51b905b330b2 100644
--- a/net-mgmt/net-snmp/Makefile
+++ b/net-mgmt/net-snmp/Makefile
@@ -1,7 +1,7 @@
PORTNAME= snmp
PORTVERSION= 5.9.4
PORTEPOCH= 1
-PORTREVISION= 3
+PORTREVISION= 4
CATEGORIES= net-mgmt
MASTER_SITES= SF/net-${PORTNAME}/net-${PORTNAME}/${PORTVERSION} \
ZI
diff --git a/net-mgmt/net-snmp/files/snmpd.in b/net-mgmt/net-snmp/files/snmpd.in
index 6e89d9cb1c5b..575086a381cd 100644
--- a/net-mgmt/net-snmp/files/snmpd.in
+++ b/net-mgmt/net-snmp/files/snmpd.in
@@ -9,11 +9,18 @@
# snmpd_flags="<set as needed>"
# snmpd_conffile="<set as needed>"
#
-# Add the following line to make snmpd drop privileges after initialization.
-# This might invalidate existing SNMPv3 users. Make sure that configuration
-# files are readable by the snmpd user.
+# Add the following line to make snmpd run as root. By default it drops
+# privileges after initialization, but some configurations may require
+# root privileges. In particular, extension scripts may need to be run as root.
#
-# snmpd_sugid="YES"
+# snmpd_sugid="NO"
+#
+# To troubleshoot permission errors, it may be useful to run snmpd with the
+# following option in rc.conf:
+#
+# snmpd_prepend="ktrace -i -f /tmp/snmpd_ktrace.out"
+#
+# The resulting trace can be inspected with "kdump -f /tmp/snmpd_ktrace.out".
#
. /etc/rc.subr
@@ -25,7 +32,7 @@ load_rc_config snmpd
snmpd_enable=${snmpd_enable:-"NO"}
snmpd_flush_cache=${snmpd_flush_cache-"NO"}
-snmpd_sugid=${snmpd_sugid:-"NO"}
+snmpd_sugid=${snmpd_sugid:-"YES"}
pidfile=${snmpd_pidfile:-"/var/run/net_snmpd.pid"}
diff --git a/net-mgmt/net-snmp/files/snmptrapd.in b/net-mgmt/net-snmp/files/snmptrapd.in
index 43008b9ae509..6c7bc93a2a03 100644
--- a/net-mgmt/net-snmp/files/snmptrapd.in
+++ b/net-mgmt/net-snmp/files/snmptrapd.in
@@ -7,16 +7,16 @@
#
# snmptrapd_enable="YES"
#
-# Add the following line to make snmptrapd drop privileges after
-# initialization. Make sure that configuration files are readable by the snmpd
-# user.
+# Add the following line to make snmptrapd run as root. By default it drops
+# privileges after initialization, but some configurations may require root
+# privileges.
#
-# snmptrapd_sugid="YES"
+# snmptrapd_sugid="NO"
#
snmptrapd_enable=${snmptrapd_enable-"NO"}
snmptrapd_flags=${snmptrapd_flags-"-p /var/run/snmptrapd.pid"}
-snmptrapd_sugid=${snmptrapd_sugid-"NO"}
+snmptrapd_sugid=${snmptrapd_sugid-"YES"}
. /etc/rc.subr