git: 7fd34a3d5d75 - main - net-mgmt/net-snmp: Provide an option for snmptrapd to drop privs
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 20 Jun 2024 15:14:04 UTC
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/ports/commit/?id=7fd34a3d5d75d6f68a2e71518e7f2150f8819532
commit 7fd34a3d5d75d6f68a2e71518e7f2150f8819532
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-06-11 15:06:16 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-06-20 15:06:18 +0000
net-mgmt/net-snmp: Provide an option for snmptrapd to drop privs
As with snmpd, we can run snmptrapd with reduced privileges, which is
certainly desirable since snmptrapd's main function is to receive SNMP
traps and log them somewhere.
Approved by: zi
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
---
net-mgmt/net-snmp/files/snmptrapd.in | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/net-mgmt/net-snmp/files/snmptrapd.in b/net-mgmt/net-snmp/files/snmptrapd.in
index e2a6e01b0da1..43008b9ae509 100644
--- a/net-mgmt/net-snmp/files/snmptrapd.in
+++ b/net-mgmt/net-snmp/files/snmptrapd.in
@@ -7,19 +7,26 @@
#
# snmptrapd_enable="YES"
#
+# Add the following line to make snmptrapd drop privileges after
+# initialization. Make sure that configuration files are readable by the snmpd
+# user.
+#
+# snmptrapd_sugid="YES"
+#
snmptrapd_enable=${snmptrapd_enable-"NO"}
snmptrapd_flags=${snmptrapd_flags-"-p /var/run/snmptrapd.pid"}
+snmptrapd_sugid=${snmptrapd_sugid-"NO"}
. /etc/rc.subr
load_rc_config net_snmptrapd
if [ ! -z "$net_snmptrapd_enable" ]; then
- echo "Warning: \$net_snmptrapd_enable is obsoleted."
- echo " Use \$snmptrapd_enable instead."
- snmptrapd_enable="$net_snmptrapd_enable"
- [ ! -z "$net_snmptrapd_flags" ] && snmptrapd_flags="$net_snmptrapd_flags"
+ echo "Warning: \$net_snmptrapd_enable is obsolete."
+ echo " Use \$snmptrapd_enable instead."
+ snmptrapd_enable="$net_snmptrapd_enable"
+ [ ! -z "$net_snmptrapd_flags" ] && snmptrapd_flags="$net_snmptrapd_flags"
fi
name=snmptrapd
@@ -29,4 +36,13 @@ command=%%PREFIX%%/sbin/${name}
pidfile=/var/run/${name}.pid
load_rc_config ${name}
+
+start_precmd=snmptrapd_precmd
+
+snmptrapd_precmd() {
+ if checkyesno snmptrapd_sugid; then
+ rc_flags="-u snmpd -g snmpd ${rc_flags}"
+ fi
+}
+
run_rc_command "$1"