From owner-freebsd-security@FreeBSD.ORG Wed Apr 30 19:21:26 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8BA47596 for ; Wed, 30 Apr 2014 19:21:26 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "ca.infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 14BE41B11 for ; Wed, 30 Apr 2014 19:21:25 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.2.117.99]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.8/8.14.8) with ESMTP id s3UJL2Wh061994 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 30 Apr 2014 20:21:12 +0100 (BST) (envelope-from matthew@FreeBSD.org) DKIM-Filter: OpenDKIM Filter v2.8.3 smtp.infracaninophile.co.uk s3UJL2Wh061994 Authentication-Results: smtp.infracaninophile.co.uk/s3UJL2Wh061994; dkim=none reason="no signature"; dkim-adsp=none Message-ID: <53614D16.9060206@FreeBSD.org> Date: Wed, 30 Apr 2014 20:20:54 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: d@delphij.net, Corey Smith , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:07.devfs References: <536147DE.5030703@delphij.net> In-Reply-To: <536147DE.5030703@delphij.net> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="U7AJBnfrU8sAF85njGGrrpQHmJeiXM0bR" X-Virus-Scanned: clamav-milter 0.98.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lucid-nonsense.infracaninophile.co.uk X-Mailman-Approved-At: Wed, 30 Apr 2014 19:52:02 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2014 19:21:26 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --U7AJBnfrU8sAF85njGGrrpQHmJeiXM0bR Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 30/04/2014 19:58, Xin Li wrote: > On 04/30/14 11:51, Corey Smith wrote: >>> It would be interesting to find out if we could teach net-snmpd >>> to use alternative methods to access data it needs >=20 >> It is not necessary if you build net-mgmt/net-snmp with the >> UNPRIVILEGED knob set. >=20 > Will there be any lost functionality with that knob set? (I don't use > net-snmp myself) If there is no lost functional, I think it's > sensible to hard wire that option -- giving access to /dev/[k]mem > makes me feel quite nervous, especially for network facing daemons... Yeah. net-snmp is not something to expose to the internet in general. Private networks only is my rule. You can start snmpd with the '-r' flag which means it will at least run without needing access to /dev/mem or anything else privileged, but at the cost of reduced functionality. For instance the 'proc foo' test to check on the presence of a foo process doesn't work. Quite why that should need rootly privilege I do not know: it's effectively the same as grepping the output of 'ps -acx'. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --U7AJBnfrU8sAF85njGGrrpQHmJeiXM0bR Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJTYU0eXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATKEYQAJCuf1vmuAyY5ffMhFx5zn9R pS0mAKwYGMMfWpHGdFIWTIw/fCbEGAGy3IcrAixS77K3i8p7ipWUXik7KAYDsxB3 pDaHG2mxpYDFawM5A82capwWB3+rPr0M9F29LbD3FxKmmk7/CYnmd+/iGQebFLHb 3AooqjuFSYe4THb4NVpKghMXHi1ERmb5eyGJ8IDcdxsh36TeOMK7tz/S1lTA1MS0 yCgLqFqqaNi1GzvUDzTSwsikDzIMgdyoJaGpT8n708LeqCJ1ZoWYE2r3689s+le1 duX8Oql8nDLKu5rvpW5LNJpEkURn94FUiXuruTiY3UOJ9smZ+QyQa43D6c5z01TO /wlhdJHAYrV9Z4y26dTWmJ6Hzkjaz4hD0EiD7m7RgtDJ0wDiiuK4DJ+TgZaJnJL5 BGUAW3AEwUO9ErcE8Z22Ieoi7EkIkwn4nH4WkvO8LKW6B4PDkD8bVzqQdQLh15ZA cRr5BjqD1ugbZ/n71ONY9yFpx4KpohdQASLjobzlX/ss9Mh1goTlxTyGblS6PThE jRfJfjodIM6DlaqYCzhZtka5J79WquLEp7PGHkGdSIbuef47pGhmH2IC0SNAh4HL vuyIk00d6bbEQY+UI//oIvjxhN+hJhLvEZ0Gv5EyH4L76Mgov3JsWq7dqktiYRPe 4hextjlBRPh1ynqKYNor =pCZE -----END PGP SIGNATURE----- --U7AJBnfrU8sAF85njGGrrpQHmJeiXM0bR--