diff options
author | Mark Johnston <markj@FreeBSD.org> | 2024-06-11 15:39:25 +0000 |
---|---|---|
committer | Mark Johnston <markj@FreeBSD.org> | 2024-06-20 15:06:45 +0000 |
commit | 2fe130f50f2756a3e31af2badd38a4c1746166d7 (patch) | |
tree | a96aebf61608e4039f8add457194a279949c1dc5 | |
parent | d649ff858b46a52a9f6f3bdb6a038158d1dab8a7 (diff) |
net-mgmt/net-snmp: Make snmpd and snmptrapd drop privileges by default
Now that we have a better idea of what problems can arise with this
change, let's try again, this time providing better documentation and
some troubleshooting steps.
Approved by: zi
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
-rw-r--r-- | UPDATING | 14 | ||||
-rw-r--r-- | net-mgmt/net-snmp/Makefile | 2 | ||||
-rw-r--r-- | net-mgmt/net-snmp/files/snmpd.in | 17 | ||||
-rw-r--r-- | net-mgmt/net-snmp/files/snmptrapd.in | 10 |
4 files changed, 32 insertions, 11 deletions
@@ -5,6 +5,20 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20240620: + AFFECTS: net-mgmt/net-snmp + AUTHOR: markj@FreeBSD.org + + The snmpd and snmptrapd daemons now drop privileges by default when started + using the rc scripts provided in the package. Make sure that snmpd + configuration in /usr/local/share/snmp is readable by the "snmpd" user. If + you have defined extension scripts in snmpd.conf, make sure that they can be + executed by an unprivileged user. To revert to the old behavior of always + running as root, set snmpd_sugid="NO" or snmptrapd_sugid="NO" in /etc/rc.conf. + + See the snmpd rc script for a hint on how to debug any permission problems + that might arise as a result of this change. + 20240615: AFFECTS: mail/cyrus-imapd25 AUTHOR: ume@FreeBSD.org diff --git a/net-mgmt/net-snmp/Makefile b/net-mgmt/net-snmp/Makefile index 305576e6cbd5..51b905b330b2 100644 --- a/net-mgmt/net-snmp/Makefile +++ b/net-mgmt/net-snmp/Makefile @@ -1,7 +1,7 @@ PORTNAME= snmp PORTVERSION= 5.9.4 PORTEPOCH= 1 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= net-mgmt MASTER_SITES= SF/net-${PORTNAME}/net-${PORTNAME}/${PORTVERSION} \ ZI diff --git a/net-mgmt/net-snmp/files/snmpd.in b/net-mgmt/net-snmp/files/snmpd.in index 6e89d9cb1c5b..575086a381cd 100644 --- a/net-mgmt/net-snmp/files/snmpd.in +++ b/net-mgmt/net-snmp/files/snmpd.in @@ -9,11 +9,18 @@ # snmpd_flags="<set as needed>" # snmpd_conffile="<set as needed>" # -# Add the following line to make snmpd drop privileges after initialization. -# This might invalidate existing SNMPv3 users. Make sure that configuration -# files are readable by the snmpd user. +# Add the following line to make snmpd run as root. By default it drops +# privileges after initialization, but some configurations may require +# root privileges. In particular, extension scripts may need to be run as root. # -# snmpd_sugid="YES" +# snmpd_sugid="NO" +# +# To troubleshoot permission errors, it may be useful to run snmpd with the +# following option in rc.conf: +# +# snmpd_prepend="ktrace -i -f /tmp/snmpd_ktrace.out" +# +# The resulting trace can be inspected with "kdump -f /tmp/snmpd_ktrace.out". # . /etc/rc.subr @@ -25,7 +32,7 @@ load_rc_config snmpd snmpd_enable=${snmpd_enable:-"NO"} snmpd_flush_cache=${snmpd_flush_cache-"NO"} -snmpd_sugid=${snmpd_sugid:-"NO"} +snmpd_sugid=${snmpd_sugid:-"YES"} pidfile=${snmpd_pidfile:-"/var/run/net_snmpd.pid"} diff --git a/net-mgmt/net-snmp/files/snmptrapd.in b/net-mgmt/net-snmp/files/snmptrapd.in index 43008b9ae509..6c7bc93a2a03 100644 --- a/net-mgmt/net-snmp/files/snmptrapd.in +++ b/net-mgmt/net-snmp/files/snmptrapd.in @@ -7,16 +7,16 @@ # # snmptrapd_enable="YES" # -# Add the following line to make snmptrapd drop privileges after -# initialization. Make sure that configuration files are readable by the snmpd -# user. +# Add the following line to make snmptrapd run as root. By default it drops +# privileges after initialization, but some configurations may require root +# privileges. # -# snmptrapd_sugid="YES" +# snmptrapd_sugid="NO" # snmptrapd_enable=${snmptrapd_enable-"NO"} snmptrapd_flags=${snmptrapd_flags-"-p /var/run/snmptrapd.pid"} -snmptrapd_sugid=${snmptrapd_sugid-"NO"} +snmptrapd_sugid=${snmptrapd_sugid-"YES"} . /etc/rc.subr |