From owner-freebsd-security@FreeBSD.ORG Fri May 2 11:58:19 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7E04EB3B; Fri, 2 May 2014 11:58:19 +0000 (UTC) Received: from smtp.digiware.nl (unknown [IPv6:2001:4cb8:90:ffff::3]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3C1EE1DD9; Fri, 2 May 2014 11:58:19 +0000 (UTC) Received: from rack1.digiware.nl (unknown [127.0.0.1]) by smtp.digiware.nl (Postfix) with ESMTP id 8190A1534D1; Fri, 2 May 2014 13:58:14 +0200 (CEST) X-Virus-Scanned: amavisd-new at digiware.nl Received: from smtp.digiware.nl ([127.0.0.1]) by rack1.digiware.nl (rack1.digiware.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2VM8g1uuAbki; Fri, 2 May 2014 13:58:12 +0200 (CEST) Received: from [192.168.101.130] (vpn.ecoracks.nl [31.223.170.173]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.digiware.nl (Postfix) with ESMTPSA id 9802C153434; Fri, 2 May 2014 13:58:12 +0200 (CEST) Message-ID: <53638858.2010109@digiware.nl> Date: Fri, 02 May 2014 13:58:16 +0200 From: Willem Jan Withagen User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= , Matthew Seaman Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:07.devfs References: <536147DE.5030703@delphij.net> <53614D16.9060206@FreeBSD.org> <86tx98ijls.fsf@nine.des.no> In-Reply-To: <86tx98ijls.fsf@nine.des.no> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Corey Smith , freebsd-security@freebsd.org, d@delphij.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2014 11:58:19 -0000 On 2-5-2014 12:02, Dag-Erling Smørgrav wrote: > Matthew Seaman writes: >> You can start snmpd with the '-r' flag which means it will at least run >> without needing access to /dev/mem or anything else privileged, but at >> the cost of reduced functionality. For instance the 'proc foo' test to >> check on the presence of a foo process doesn't work. Quite why that >> should need rootly privilege I do not know: it's effectively the same as >> grepping the output of 'ps -acx'. > > It probably uses libkvm instead of the newer libprocstat, which does not > require access to /dev/mem. The only reason you'd ever want to use > libkvm is if you want to be able to operate on kernel dumps. Opening and ripping all kvm out net-snmp is going to be a nice challenge... I've fixed things a few times in the past, but the code is loaded with #ifdef stuff because it needs to cater to all flavors of OSes in wants to be available on. But even then, reducing its privileges after starting will also hamper any perl-plugin that requires anything more than just the basic rights. So you'd be running into access problems in other places as well. Sometimes you can fix those with either changed access rights or sudo. But I would not be surprised if not everything is going to be smooth sailing.... --WjW