From nobody Thu May 09 17:04:06 2024 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VZyzB5Qdrz5K5KS; Thu, 09 May 2024 17:04:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VZyzB2yjtz4RFS; Thu, 9 May 2024 17:04:06 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1715274246; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nUS9KvMrZV05YbGWjn9+Jpt+qCP8BRbSab9vkGpgu2o=; b=SzVuyf06ah8RQUGQU9uMcDIQxGtKJtXrEiixz3KJwV90CQ+fJgFYuu1PZcIJw0Nc4ua0QH P8Aiaw5APmBIzoG/gMxjl6/f4R6hxLq8cQrKz4oCWAJBYI44fcGTh2GtfB0A4c+eRSs1Cd +ohOszonwUVbtO2LGrC0GzECenOm1KHLS5knQqh15iZ+jUat1SLD9xu/gSDQ6AXSUFFSIy GdZAC/2ioZkJTl/lnGaVDT87uQvfFOXvqYVvKmwLWXBLWZUKGyCIJnq8jZphdZOWetoi+u gqu4DT2By/+JauDQ9NDf0Qj/X577qS9GASa4TVJdZy/9BUm28bHZfvCpIix27g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1715274246; a=rsa-sha256; cv=none; b=gzYNKDEbQVehhvIhup4pHdGUUJrexfSYomG1bLtodhu/ZWEGLL6Cym8C1GX45FOHKnXzhI OmtG5NLE+xEWLA6UtJscJKM8POPQ8+iGJI6LG8NTs33VudqNBpaFyUd3sQCicJgvLPt0rx woKVvy9Dlh3MECXDAdrXLjX7slG9gpLFkDQudKunSunWYw9XZbU/Xs5J62bsK7Z3A+kSMU PJLhlmCskd3L3HX4aN1N4r3G7RPOUGcddKPqiFDznFulZgDS25wVX2YmXQciFhLrnjlaSK 4PGhejKTgIgq8k1dQgkeXXiZJRzQ2zfSa81JAybyo4W47+kkt8u//JRYdf1mKw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1715274246; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nUS9KvMrZV05YbGWjn9+Jpt+qCP8BRbSab9vkGpgu2o=; b=SrZTRQRgoApEwMffZcEF8aAzOtbTyUQOmcf1bbMwlVfQsTlpv/zJdFjXfNsKBh7x8CF7ma jqqj5W7+HCeEbQdd9LJlnEDZUdDodYBSqLTQ7OA3FNKYZ4yrSGm99cIf7A22oilrvC2GSb FDrwt8FKF/+ChN/V7Xlvos5ESoYOXhbZmE5s8ZJD4xPt9ccqUdsx2ZSW769tP+FpbW6yFu aSSptyINB35yBMQFJLVXmF1ypp9atiRJarOgyZ8X9LmwopzOrn40Tc/HKq41ZhnA99zHCL IE+3KG6LD9txqnPAu1I/s93323ws3d5Ugz57WT0xqVp/0vKN9xuHe6IskGf2SQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VZyzB2VgKz1GH0; Thu, 9 May 2024 17:04:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 449H465h020877; Thu, 9 May 2024 17:04:06 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 449H465x020874; Thu, 9 May 2024 17:04:06 GMT (envelope-from git) Date: Thu, 9 May 2024 17:04:06 GMT Message-Id: <202405091704.449H465x020874@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Mark Johnston Subject: git: 77487a63f99d - main - net-mgmt/net-snmp: Let snmpd run as a non-root user List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-all@freebsd.org Sender: owner-dev-commits-ports-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 77487a63f99d87e3e468d26008baf267ec600760 Auto-Submitted: auto-generated The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/ports/commit/?id=77487a63f99d87e3e468d26008baf267ec600760 commit 77487a63f99d87e3e468d26008baf267ec600760 Author: Mark Johnston AuthorDate: 2024-04-11 13:58:18 +0000 Commit: Mark Johnston CommitDate: 2024-05-09 16:41:29 +0000 net-mgmt/net-snmp: Let snmpd run as a non-root user - Compile without /dev/kmem access. This requires a small patch which opens libkvm in a dummy mode which uses sysctls to implement most of its interfaces rather than /dev/kmem access. This way we can drop the dependency on /dev/kmem without rewriting existing code. - Add a new snmpd user. Configure snmpd to drop privileges once it's finished initialization. - Remove the JAIL option. Now that snmpd avoids using /dev/kmem, there's no need to have a special mode for running snmpd in jails. The patch has been proposed upstream here: https://sourceforge.net/p/net-snmp/mailman/net-snmp-coders/thread/ZjEwNV5BiTOQ-Adi%40nuc/#msg58766857 Approved by: zi Sponsored by: Klara, Inc. Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D45031 --- GIDs | 2 +- UIDs | 2 +- net-mgmt/net-snmp/Makefile | 14 +++++----- net-mgmt/net-snmp/files/patch-agent_kernel.c | 40 ++++++++++++++++++++++++++++ net-mgmt/net-snmp/files/snmpd.in | 2 +- 5 files changed, 49 insertions(+), 11 deletions(-) diff --git a/GIDs b/GIDs index d98be0309a9c..ea5e397c234b 100644 --- a/GIDs +++ b/GIDs @@ -284,7 +284,7 @@ wildfire:*:340: stunnel:*:341: openfire:*:342: gunicorn:*:343: -# free: 344 +snmpd:*:344: # free: 345 # free: 346 eturnal:*:347: diff --git a/UIDs b/UIDs index 0e43c506f91e..ceba79b7c0fc 100644 --- a/UIDs +++ b/UIDs @@ -289,7 +289,7 @@ wildfire:*:340:340::0:0:Wildfire Daemon:/nonexistent:/usr/sbin/nologin stunnel:*:341:341::0:0:Stunnel Daemon:/nonexistent:/usr/sbin/nologin openfire:*:342:342::0:0:Openfire IM Daemon:/nonexistent:/usr/sbin/nologin gunicorn:*:343:343::0:0:Gunicorn Daemon:/nonexistent:/usr/sbin/nologin -# free: 344 +snmpd:*:344:344::0:0:Net-SNMP Daemon:/nonexistent:/usr/sbin/nologin # free: 345 # free: 346 eturnal:*:347:347::0:0:eturnal User:/var/spool/eturnal:/bin/sh diff --git a/net-mgmt/net-snmp/Makefile b/net-mgmt/net-snmp/Makefile index 71ad983bf18d..5fca4ba36051 100644 --- a/net-mgmt/net-snmp/Makefile +++ b/net-mgmt/net-snmp/Makefile @@ -1,6 +1,7 @@ PORTNAME= snmp PORTVERSION= 5.9.4 PORTEPOCH= 1 +PORTREVISION= 1 CATEGORIES= net-mgmt MASTER_SITES= SF/net-${PORTNAME}/net-${PORTNAME}/${PORTVERSION} \ ZI @@ -18,7 +19,7 @@ NOT_FOR_ARCHS= mips mips64 NOT_FOR_ARCHS_REASON= SSP is currently broken on MIPS OPTIONS_DEFINE= MFD_REWRITES PERL PERL_EMBEDDED PYTHON DUMMY TKMIB \ - MYSQL AX_SOCKONLY UNPRIVILEGED SMUX DOCS JAIL AX_DISABLE_TRAP \ + MYSQL AX_SOCKONLY UNPRIVILEGED SMUX DOCS AX_DISABLE_TRAP \ TLS NEWSYSLOG NOLIBPKG SCTP OPTIONS_DEFAULT=PERL PERL_EMBEDDED DUMMY SMUX NEWSYSLOG OPTIONS_SUB= yes @@ -31,11 +32,13 @@ AX_SOCKONLY_DESC= Disable UDP/TCP transports for agentx AX_DISABLE_TRAP_DESC= Disable agentx subagent code in snmptrapd UNPRIVILEGED_DESC= Allow unprivileged users to execute net-snmp SMUX_DESC= Build with SNMP multiplexing (SMUX) support -JAIL_DESC= Options for running snmpd within a jail(8) NEWSYSLOG_DESC= Automatically rotate snmpd.log via newsyslog NOLIBPKG_DESC= Build without libpkg SCTP_DESC= Build with SCTP MIB support +USERS= snmpd +GROUPS= snmpd + GNU_CONFIGURE= yes GNU_CONFIGURE_MANPREFIX=${PREFIX}/share USES= cpe libtool perl5 ssl @@ -55,6 +58,7 @@ CONFIGURE_ARGS+=--enable-shared --enable-internal-md5 \ --with-logfile="${NET_SNMP_LOGFILE}" \ --with-persistent-directory="${NET_SNMP_PERSISTENTDIR}" \ --with-gnu-ld --without-libwrap --enable-ipv6 \ + --without-kmem-usage \ --with-ldflags="-lm -lkvm -ldevstat -L${PKG_PREFIX}/lib -L${LOCALBASE}/lib ${LCRYPTO}" SUB_FILES= pkg-message @@ -154,12 +158,6 @@ CONFIGURE_ARGS+=--enable-mfd-rewrites NET_SNMP_WITH_MIB_MODULE_LIST+= if-mib .endif -.if ${PORT_OPTIONS:MJAIL} -NET_SNMP_WITHOUT_MIB_MODULE_LIST+= host -NET_SNMP_WITHOUT_MIB_MODULE_LIST+= ucd-snmp/memory -CONFIGURE_ARGS+= --without-kmem-usage -.endif - .if ${PORT_OPTIONS:MSMUX} NET_SNMP_WITH_MIB_MODULE_LIST+= smux .else diff --git a/net-mgmt/net-snmp/files/patch-agent_kernel.c b/net-mgmt/net-snmp/files/patch-agent_kernel.c new file mode 100644 index 000000000000..133b04bd1824 --- /dev/null +++ b/net-mgmt/net-snmp/files/patch-agent_kernel.c @@ -0,0 +1,40 @@ +--- agent/kernel.c.orig 2023-08-15 20:32:01 UTC ++++ agent/kernel.c +@@ -252,7 +252,37 @@ free_kmem(void) + kmem = -1; + } + } ++#elif defined(__FreeBSD__) ++kvm_t *kd; + ++/** ++ * Initialize the libkvm descriptor. On FreeBSD we can use most of libkvm ++ * without requiring /dev/kmem access. Only kvm_nlist() and kvm_read() need ++ * that, and we don't use them. ++ * ++ * @return TRUE upon success; FALSE upon failure. ++ */ ++int ++init_kmem(const char *file) ++{ ++ char err[4096]; ++ ++ kd = kvm_openfiles(NULL, "/dev/null", NULL, O_RDONLY, err); ++ if (!kd) { ++ snmp_log(LOG_CRIT, "init_kmem: kvm_openfiles failed: %s\n", err); ++ return FALSE; ++ } ++ return TRUE; ++} ++ ++void ++free_kmem(void) ++{ ++ if (kd != NULL) { ++ (void)kvm_close(kd); ++ kd = NULL; ++ } ++} + #else + int + init_kmem(const char *file) diff --git a/net-mgmt/net-snmp/files/snmpd.in b/net-mgmt/net-snmp/files/snmpd.in index a98404d22bd0..7f140200aa45 100644 --- a/net-mgmt/net-snmp/files/snmpd.in +++ b/net-mgmt/net-snmp/files/snmpd.in @@ -57,7 +57,7 @@ net_snmpd_precmd () { if [ -n "${snmpd_conffile_set}" ]; then rc_flags="-c ${snmpd_conffile_set#,} ${rc_flags}" fi - rc_flags="-p ${pidfile} ${rc_flags}" + rc_flags="-u snmpd -g snmpd -p ${pidfile} ${rc_flags}" } run_rc_command "$1"