From nobody Thu Jun 20 15:14:04 2024
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W4kXr2VYyz5Ny6v;
	Thu, 20 Jun 2024 15:14:04 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4W4kXr1mqzz4hbN;
	Thu, 20 Jun 2024 15:14:04 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1718896444;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=6nBqs5YL303TV6Y4jgZ7/gJNbZ6MDtf5oYx1HUKXg8o=;
	b=i4Sn2FcGdKvU0ELCkWUdX3B3bb1/8fchKl3JhvUR5ehKkUltLEvPXhwo+q2zGTj7q7hk0d
	QBJVemZRTiI+r5xx6bziwAgCHaRY4DG4e5CCF4BqTt3LFVywD1RwFq/Gps5bKjkzEASb/T
	3LVkOCMDPGP9YRsRiyHb89swr5uMi9Ex/wqkyOFG8x4SO2JfMJqt0wXPI8IgiTStTWIxSK
	LUmaGZ37m/NBHbUP43hs/L9VghnyWnUxWwodc6SpthfX/HHy2ww3HOvvTPSUF6A319cbUW
	brPZCJs6ymZudRZXwbNChddR/WoHoTUBKj/W8xORidt5XVlnjvSHwwmc/zVfEw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1718896444; a=rsa-sha256; cv=none;
	b=uaW/KPMXExWy+kAV1G/j12anIpuf/EfCNL+n1Yhxu1haNGmsF36ft+mfqmWwtIk9Cqf8au
	dbIlfztpBIPhC1/byhkFTPKNL5gl4EQ5qqw5W+Lpx+jj//Q7un8TjY4XzT6yw/q5GbyMJS
	QWIHKgmra9PYDpc4QIoSzcYH1X0/QTyosUpAO56wn9EksGbt3ak8OfDbgQKFbURCjDLFfE
	S2TWTCXHP/CKaxegDyPKvBTZMrFX+QaU+CtonCInnuR0WxGk8zJy6wDo7XZd9yHNYT+/Zt
	3gaU3+01gHqYBNldUeUs8QXeh+qBH69BnWysddQ+Wess9UozY1NJiIeciIHVmA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1718896444;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=6nBqs5YL303TV6Y4jgZ7/gJNbZ6MDtf5oYx1HUKXg8o=;
	b=uVcJNij8bQIa2VTj4+PBGskKcuunQS9Dn4adzpeugb/V2kUqb0FspmtrklEhGbraPVYRRD
	K5QKB5Bs77jt3vZ+e8al+kDhXlj/B6gyGpL2rJZxfO5zSyBMnYrLA+AdinCMm+Zug/vnU/
	urPlWCsAfJE3Iw5xi1iB9OwiJaoBMM8TAzPdrZzbg8yg3I2+qgUS3PEJ56z4DlqzSfvsA8
	3OY5rLxUrIzisyA8ny7ozIMjwgVM2y2/rZp5M1H3OQerZc+z+/KC9iJj743wOwqUyWEX66
	UND6wXXDnCHzjgM/FGVYDTRSXjy8G0tBufg+dZFeEiPhioQs9EIzSYX9BgF03w==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4W4kXr1N30zVBK;
	Thu, 20 Jun 2024 15:14:04 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 45KFE4bt095864;
	Thu, 20 Jun 2024 15:14:04 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 45KFE4WK095861;
	Thu, 20 Jun 2024 15:14:04 GMT
	(envelope-from git)
Date: Thu, 20 Jun 2024 15:14:04 GMT
Message-Id: <202406201514.45KFE4WK095861@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 7fd34a3d5d75 - main - net-mgmt/net-snmp: Provide an
  option for snmptrapd to drop privs
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-ports-all@freebsd.org
Sender: owner-dev-commits-ports-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 7fd34a3d5d75d6f68a2e71518e7f2150f8819532
Auto-Submitted: auto-generated

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7fd34a3d5d75d6f68a2e71518e7f2150f8819532

commit 7fd34a3d5d75d6f68a2e71518e7f2150f8819532
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-06-11 15:06:16 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-06-20 15:06:18 +0000

    net-mgmt/net-snmp: Provide an option for snmptrapd to drop privs
    
    As with snmpd, we can run snmptrapd with reduced privileges, which is
    certainly desirable since snmptrapd's main function is to receive SNMP
    traps and log them somewhere.
    
    Approved by:    zi
    Sponsored by:   Klara, Inc.
    Sponsored by:   Stormshield
---
 net-mgmt/net-snmp/files/snmptrapd.in | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/net-mgmt/net-snmp/files/snmptrapd.in b/net-mgmt/net-snmp/files/snmptrapd.in
index e2a6e01b0da1..43008b9ae509 100644
--- a/net-mgmt/net-snmp/files/snmptrapd.in
+++ b/net-mgmt/net-snmp/files/snmptrapd.in
@@ -7,19 +7,26 @@
 #
 # snmptrapd_enable="YES"
 #
+# Add the following line to make snmptrapd drop privileges after
+# initialization.  Make sure that configuration files are readable by the snmpd
+# user.
+#
+# snmptrapd_sugid="YES"
+#
 
 snmptrapd_enable=${snmptrapd_enable-"NO"}
 snmptrapd_flags=${snmptrapd_flags-"-p /var/run/snmptrapd.pid"}
+snmptrapd_sugid=${snmptrapd_sugid-"NO"}
 
 . /etc/rc.subr
 
 load_rc_config net_snmptrapd
 
 if [ ! -z "$net_snmptrapd_enable" ]; then
-    echo "Warning: \$net_snmptrapd_enable is obsoleted."
-    echo "         Use \$snmptrapd_enable instead."
-    snmptrapd_enable="$net_snmptrapd_enable"
-    [ ! -z "$net_snmptrapd_flags" ] && snmptrapd_flags="$net_snmptrapd_flags"
+	echo "Warning: \$net_snmptrapd_enable is obsolete."
+	echo "         Use \$snmptrapd_enable instead."
+	snmptrapd_enable="$net_snmptrapd_enable"
+	[ ! -z "$net_snmptrapd_flags" ] && snmptrapd_flags="$net_snmptrapd_flags"
 fi
 
 name=snmptrapd
@@ -29,4 +36,13 @@ command=%%PREFIX%%/sbin/${name}
 pidfile=/var/run/${name}.pid
 
 load_rc_config ${name}
+
+start_precmd=snmptrapd_precmd
+
+snmptrapd_precmd() {
+	if checkyesno snmptrapd_sugid; then
+		rc_flags="-u snmpd -g snmpd ${rc_flags}"
+	fi
+}
+
 run_rc_command "$1"