git: 2fe130f50f27 - main - net-mgmt/net-snmp: Make snmpd and snmptrapd drop privileges by default

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Mark Johnston <markj_at_FreeBSD.org>
Date: Thu, 20 Jun 2024 15:14:06 UTC
The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/ports/commit/?id=2fe130f50f2756a3e31af2badd38a4c1746166d7

commit 2fe130f50f2756a3e31af2badd38a4c1746166d7
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-06-11 15:39:25 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-06-20 15:06:45 +0000

    net-mgmt/net-snmp: Make snmpd and snmptrapd drop privileges by default
    
    Now that we have a better idea of what problems can arise with this
    change, let's try again, this time providing better documentation and
    some troubleshooting steps.
    
    Approved by:    zi
    Sponsored by:   Klara, Inc.
    Sponsored by:   Stormshield
---
 UPDATING                             | 14 ++++++++++++++
 net-mgmt/net-snmp/Makefile           |  2 +-
 net-mgmt/net-snmp/files/snmpd.in     | 17 ++++++++++++-----
 net-mgmt/net-snmp/files/snmptrapd.in | 10 +++++-----
 4 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/UPDATING b/UPDATING
index e5c1d67e5baf..cd95246f6aa0 100644
--- a/UPDATING
+++ b/UPDATING
@@ -5,6 +5,20 @@ they are unavoidable.
 You should get into the habit of checking this file for changes each time
 you update your ports collection, before attempting any port upgrades.
 
+20240620:
+  AFFECTS: net-mgmt/net-snmp
+  AUTHOR: markj@FreeBSD.org
+
+  The snmpd and snmptrapd daemons now drop privileges by default when started
+  using the rc scripts provided in the package.  Make sure that snmpd
+  configuration in /usr/local/share/snmp is readable by the "snmpd" user.  If
+  you have defined extension scripts in snmpd.conf, make sure that they can be
+  executed by an unprivileged user.  To revert to the old behavior of always
+  running as root, set snmpd_sugid="NO" or snmptrapd_sugid="NO" in /etc/rc.conf.
+
+  See the snmpd rc script for a hint on how to debug any permission problems
+  that might arise as a result of this change.
+
 20240615:
   AFFECTS: mail/cyrus-imapd25
   AUTHOR: ume@FreeBSD.org
diff --git a/net-mgmt/net-snmp/Makefile b/net-mgmt/net-snmp/Makefile
index 305576e6cbd5..51b905b330b2 100644
--- a/net-mgmt/net-snmp/Makefile
+++ b/net-mgmt/net-snmp/Makefile
@@ -1,7 +1,7 @@
 PORTNAME=	snmp
 PORTVERSION=	5.9.4
 PORTEPOCH=	1
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	net-mgmt
 MASTER_SITES=	SF/net-${PORTNAME}/net-${PORTNAME}/${PORTVERSION} \
 		ZI
diff --git a/net-mgmt/net-snmp/files/snmpd.in b/net-mgmt/net-snmp/files/snmpd.in
index 6e89d9cb1c5b..575086a381cd 100644
--- a/net-mgmt/net-snmp/files/snmpd.in
+++ b/net-mgmt/net-snmp/files/snmpd.in
@@ -9,11 +9,18 @@
 # snmpd_flags="<set as needed>"
 # snmpd_conffile="<set as needed>"
 #
-# Add the following line to make snmpd drop privileges after initialization.
-# This might invalidate existing SNMPv3 users.  Make sure that configuration
-# files are readable by the snmpd user.
+# Add the following line to make snmpd run as root.  By default it drops
+# privileges after initialization, but some configurations may require
+# root privileges.  In particular, extension scripts may need to be run as root.
 #
-# snmpd_sugid="YES"
+# snmpd_sugid="NO"
+#
+# To troubleshoot permission errors, it may be useful to run snmpd with the
+# following option in rc.conf:
+#
+# snmpd_prepend="ktrace -i -f /tmp/snmpd_ktrace.out"
+#
+# The resulting trace can be inspected with "kdump -f /tmp/snmpd_ktrace.out".
 #
 
 . /etc/rc.subr
@@ -25,7 +32,7 @@ load_rc_config snmpd
 
 snmpd_enable=${snmpd_enable:-"NO"}
 snmpd_flush_cache=${snmpd_flush_cache-"NO"}
-snmpd_sugid=${snmpd_sugid:-"NO"}
+snmpd_sugid=${snmpd_sugid:-"YES"}
 
 pidfile=${snmpd_pidfile:-"/var/run/net_snmpd.pid"}
 
diff --git a/net-mgmt/net-snmp/files/snmptrapd.in b/net-mgmt/net-snmp/files/snmptrapd.in
index 43008b9ae509..6c7bc93a2a03 100644
--- a/net-mgmt/net-snmp/files/snmptrapd.in
+++ b/net-mgmt/net-snmp/files/snmptrapd.in
@@ -7,16 +7,16 @@
 #
 # snmptrapd_enable="YES"
 #
-# Add the following line to make snmptrapd drop privileges after
-# initialization.  Make sure that configuration files are readable by the snmpd
-# user.
+# Add the following line to make snmptrapd run as root.  By default it drops
+# privileges after initialization, but some configurations may require root
+# privileges.
 #
-# snmptrapd_sugid="YES"
+# snmptrapd_sugid="NO"
 #
 
 snmptrapd_enable=${snmptrapd_enable-"NO"}
 snmptrapd_flags=${snmptrapd_flags-"-p /var/run/snmptrapd.pid"}
-snmptrapd_sugid=${snmptrapd_sugid-"NO"}
+snmptrapd_sugid=${snmptrapd_sugid-"YES"}
 
 . /etc/rc.subr