git: 1a7344b7ecd8 - main - net-mgmt/net-snmp: Print a warning if config files aren't readable

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Mark Johnston <markj_at_FreeBSD.org>
Date: Tue, 04 Jun 2024 18:42:44 UTC
The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1a7344b7ecd8c5073552cdd097f546e9495c11dd

commit 1a7344b7ecd8c5073552cdd097f546e9495c11dd
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-05-24 14:12:01 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-06-04 18:40:37 +0000

    net-mgmt/net-snmp: Print a warning if config files aren't readable
    
    Motivated by a bug report from dvl@.  In his case, snmpd was able to
    read the configuration file initially, but failed to reload it upon
    receiving SIGHUP during log rotation.
    
    Approved by:    zi
    Sponsored by:   Stormshield
    Sponsored by:   Klara, Inc.
    Differential Revision:  https://reviews.freebsd.org/D45343
---
 net-mgmt/net-snmp/files/snmpd.in | 30 +++++++++++++++++++++++++-----
 1 file changed, 25 insertions(+), 5 deletions(-)

diff --git a/net-mgmt/net-snmp/files/snmpd.in b/net-mgmt/net-snmp/files/snmpd.in
index 7f75cacad813..6e89d9cb1c5b 100644
--- a/net-mgmt/net-snmp/files/snmpd.in
+++ b/net-mgmt/net-snmp/files/snmpd.in
@@ -10,7 +10,8 @@
 # snmpd_conffile="<set as needed>"
 #
 # Add the following line to make snmpd drop privileges after initialization.
-# This might invalidate existing SNMPv3 users.
+# This might invalidate existing SNMPv3 users.  Make sure that configuration
+# files are readable by the snmpd user.
 #
 # snmpd_sugid="YES"
 #
@@ -32,8 +33,24 @@ command=%%PREFIX%%/sbin/${name}
 
 start_precmd=net_snmpd_precmd
 
-net_snmpd_precmd () {
-	local flag conffile snmpd_conffile_set
+check_conffile()
+{
+	local conffile
+
+	conffile=$1
+
+	if [ ! -f "${conffile}" ]; then
+		warn "snmpd configuration file $conffile not found"
+		return
+	fi
+	su -m snmpd -c "test -r ${conffile}"
+	if [ $? -ne 0 ]; then
+		warn "snmpd configuration file $conffile not readable by snmpd user"
+	fi
+}
+
+net_snmpd_precmd() {
+	local flag conffile snmpd_conffile_set readable
 
 	if checkyesno snmpd_flush_cache; then
 		rm -vf /var/net-snmp/.snmp-exec-cache
@@ -52,11 +69,14 @@ net_snmpd_precmd () {
 		esac
 	done
 
+	# -c does not override the default config file.
+	check_conffile %%PREFIX%%/share/snmp/snmpd.conf
 	for conffile in ${snmpd_conffile}; do
+		check_conffile ${conffile}
 		if [ -f "${conffile}" -a -s "${conffile}" ]; then
-		       snmpd_conffile_set="${snmpd_conffile_set},${conffile}"
+			snmpd_conffile_set="${snmpd_conffile_set},${conffile}"
 		else
-		       err 1 "snmpd configuration file $conffile not found."
+			err 1 "snmpd configuration file $conffile not found."
 		fi
 	done