Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 20 Jun 2024 15:14:04 GMT
From:      Mark Johnston <markj@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: 7fd34a3d5d75 - main - net-mgmt/net-snmp: Provide an option for snmptrapd to drop privs
Message-ID:  <202406201514.45KFE4WK095861@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7fd34a3d5d75d6f68a2e71518e7f2150f8819532

commit 7fd34a3d5d75d6f68a2e71518e7f2150f8819532
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-06-11 15:06:16 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-06-20 15:06:18 +0000

    net-mgmt/net-snmp: Provide an option for snmptrapd to drop privs
    
    As with snmpd, we can run snmptrapd with reduced privileges, which is
    certainly desirable since snmptrapd's main function is to receive SNMP
    traps and log them somewhere.
    
    Approved by:    zi
    Sponsored by:   Klara, Inc.
    Sponsored by:   Stormshield
---
 net-mgmt/net-snmp/files/snmptrapd.in | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/net-mgmt/net-snmp/files/snmptrapd.in b/net-mgmt/net-snmp/files/snmptrapd.in
index e2a6e01b0da1..43008b9ae509 100644
--- a/net-mgmt/net-snmp/files/snmptrapd.in
+++ b/net-mgmt/net-snmp/files/snmptrapd.in
@@ -7,19 +7,26 @@
 #
 # snmptrapd_enable="YES"
 #
+# Add the following line to make snmptrapd drop privileges after
+# initialization.  Make sure that configuration files are readable by the snmpd
+# user.
+#
+# snmptrapd_sugid="YES"
+#
 
 snmptrapd_enable=${snmptrapd_enable-"NO"}
 snmptrapd_flags=${snmptrapd_flags-"-p /var/run/snmptrapd.pid"}
+snmptrapd_sugid=${snmptrapd_sugid-"NO"}
 
 . /etc/rc.subr
 
 load_rc_config net_snmptrapd
 
 if [ ! -z "$net_snmptrapd_enable" ]; then
-    echo "Warning: \$net_snmptrapd_enable is obsoleted."
-    echo "         Use \$snmptrapd_enable instead."
-    snmptrapd_enable="$net_snmptrapd_enable"
-    [ ! -z "$net_snmptrapd_flags" ] && snmptrapd_flags="$net_snmptrapd_flags"
+	echo "Warning: \$net_snmptrapd_enable is obsolete."
+	echo "         Use \$snmptrapd_enable instead."
+	snmptrapd_enable="$net_snmptrapd_enable"
+	[ ! -z "$net_snmptrapd_flags" ] && snmptrapd_flags="$net_snmptrapd_flags"
 fi
 
 name=snmptrapd
@@ -29,4 +36,13 @@ command=%%PREFIX%%/sbin/${name}
 pidfile=/var/run/${name}.pid
 
 load_rc_config ${name}
+
+start_precmd=snmptrapd_precmd
+
+snmptrapd_precmd() {
+	if checkyesno snmptrapd_sugid; then
+		rc_flags="-u snmpd -g snmpd ${rc_flags}"
+	fi
+}
+
 run_rc_command "$1"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202406201514.45KFE4WK095861>