From nobody Thu Jun 20 15:14:06 2024 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W4kXt4q4Zz5Ny70; Thu, 20 Jun 2024 15:14:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4W4kXt3ZCVz4hMG; Thu, 20 Jun 2024 15:14:06 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1718896446; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XdGfuceS9DpKcdWUZLY8dkiYnl8XnSSpUUpzMSGZyPY=; b=FDhGo6Fp91T8N9+DQwpSjGd/aU3Shsg2YmvAmegPBzoDsrPPUPPTF4at4ZW8kayIlpEBQt eyvRiBKfuFW2VDWzsumJjED33EistXIDB0MGLEby3m/KNXOG8WXlvmUydbhROhNWInipBy DVCU7p+geRHiQwg8DtFK9uNsJlytz7Q9D7BNU3wGjkIMPNeFhvvOJAjOQw9utpDnB/tgHV 2Dpo9VTdfIyPIIfE0NG6o7Si3CV+wMcorTezKn4Pzm0llPYbOzOIUxnlqeJgFTX3mSD+Sv gdAHQr6FIHpB64pgR0Agwlhz48wNx7jXAnUxNBdRI3AJ9YiM6w4nBgWZfJhtjQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1718896446; a=rsa-sha256; cv=none; b=NfsMjL4fdTnvzddsFwf6NxN6lEi/cjpzSx0GIh7YvQzBT05kLWkB86S9eKdznh79EXCwpX ZMWRbMcOrDoN+U35ZLDdwfA6Q1DGPM0lKxmAnynlUAvZEEUVc26xs5fsz9DnAfvGdb6ydn iqH28lbWssRswRnalDnUUbGtHH8Na/W74+U7trNl2HeY9NG2/pP9TtrXWvOxE48s3IaLLH MmJtu06ip9naVnu1CY9cSTPPe5mjpvdzxNQq/ohe1owjpM+f+v/CcSjih0hSr6p6Z65GBt he+Qlocdvlm0zYNwf1vqIyTbx5CVFrJhZ0hCDvO2ZvvaxDnW+bbQqAbNCZSDKA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1718896446; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XdGfuceS9DpKcdWUZLY8dkiYnl8XnSSpUUpzMSGZyPY=; b=W98cvwR/jmfkvtS1RYYM4e/FkEy5VY5/Ef53jAVCIifzl0XSpwDHLCnOWwmXhwfNcRp7lr sHVxRI5SwNPxAX7W3vNfKvXcJJ5a2TqVv0Aqq+TgILAYTAY5T3DBWdkiUssj/3RQbBdSeM ZQaBzTsCIBXlXnmamX9uSUjcncHlo2FXI1Kqe+JcvlsNwXpeLcosb3mZdsvVKRfwDjbtzZ p5N94aShLlzY56oyJoCgdF9PaV0I/VsY1tnr2dhzO1WlTKgltPbQatOzW5UgY/kiZRErAJ azaAu3D8UO4TBHTJo5NOddig/Z0OjIKxdIJ6gGGlyNtpeuyzPAmIsWwFGE0X3w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4W4kXt38FWzVBL; Thu, 20 Jun 2024 15:14:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 45KFE6NU095966; Thu, 20 Jun 2024 15:14:06 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 45KFE6B5095963; Thu, 20 Jun 2024 15:14:06 GMT (envelope-from git) Date: Thu, 20 Jun 2024 15:14:06 GMT Message-Id: <202406201514.45KFE6B5095963@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Mark Johnston Subject: git: 2fe130f50f27 - main - net-mgmt/net-snmp: Make snmpd and snmptrapd drop privileges by default List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-all@freebsd.org Sender: owner-dev-commits-ports-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 2fe130f50f2756a3e31af2badd38a4c1746166d7 Auto-Submitted: auto-generated The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/ports/commit/?id=2fe130f50f2756a3e31af2badd38a4c1746166d7 commit 2fe130f50f2756a3e31af2badd38a4c1746166d7 Author: Mark Johnston AuthorDate: 2024-06-11 15:39:25 +0000 Commit: Mark Johnston CommitDate: 2024-06-20 15:06:45 +0000 net-mgmt/net-snmp: Make snmpd and snmptrapd drop privileges by default Now that we have a better idea of what problems can arise with this change, let's try again, this time providing better documentation and some troubleshooting steps. Approved by: zi Sponsored by: Klara, Inc. Sponsored by: Stormshield --- UPDATING | 14 ++++++++++++++ net-mgmt/net-snmp/Makefile | 2 +- net-mgmt/net-snmp/files/snmpd.in | 17 ++++++++++++----- net-mgmt/net-snmp/files/snmptrapd.in | 10 +++++----- 4 files changed, 32 insertions(+), 11 deletions(-) diff --git a/UPDATING b/UPDATING index e5c1d67e5baf..cd95246f6aa0 100644 --- a/UPDATING +++ b/UPDATING @@ -5,6 +5,20 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20240620: + AFFECTS: net-mgmt/net-snmp + AUTHOR: markj@FreeBSD.org + + The snmpd and snmptrapd daemons now drop privileges by default when started + using the rc scripts provided in the package. Make sure that snmpd + configuration in /usr/local/share/snmp is readable by the "snmpd" user. If + you have defined extension scripts in snmpd.conf, make sure that they can be + executed by an unprivileged user. To revert to the old behavior of always + running as root, set snmpd_sugid="NO" or snmptrapd_sugid="NO" in /etc/rc.conf. + + See the snmpd rc script for a hint on how to debug any permission problems + that might arise as a result of this change. + 20240615: AFFECTS: mail/cyrus-imapd25 AUTHOR: ume@FreeBSD.org diff --git a/net-mgmt/net-snmp/Makefile b/net-mgmt/net-snmp/Makefile index 305576e6cbd5..51b905b330b2 100644 --- a/net-mgmt/net-snmp/Makefile +++ b/net-mgmt/net-snmp/Makefile @@ -1,7 +1,7 @@ PORTNAME= snmp PORTVERSION= 5.9.4 PORTEPOCH= 1 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= net-mgmt MASTER_SITES= SF/net-${PORTNAME}/net-${PORTNAME}/${PORTVERSION} \ ZI diff --git a/net-mgmt/net-snmp/files/snmpd.in b/net-mgmt/net-snmp/files/snmpd.in index 6e89d9cb1c5b..575086a381cd 100644 --- a/net-mgmt/net-snmp/files/snmpd.in +++ b/net-mgmt/net-snmp/files/snmpd.in @@ -9,11 +9,18 @@ # snmpd_flags="" # snmpd_conffile="" # -# Add the following line to make snmpd drop privileges after initialization. -# This might invalidate existing SNMPv3 users. Make sure that configuration -# files are readable by the snmpd user. +# Add the following line to make snmpd run as root. By default it drops +# privileges after initialization, but some configurations may require +# root privileges. In particular, extension scripts may need to be run as root. # -# snmpd_sugid="YES" +# snmpd_sugid="NO" +# +# To troubleshoot permission errors, it may be useful to run snmpd with the +# following option in rc.conf: +# +# snmpd_prepend="ktrace -i -f /tmp/snmpd_ktrace.out" +# +# The resulting trace can be inspected with "kdump -f /tmp/snmpd_ktrace.out". # . /etc/rc.subr @@ -25,7 +32,7 @@ load_rc_config snmpd snmpd_enable=${snmpd_enable:-"NO"} snmpd_flush_cache=${snmpd_flush_cache-"NO"} -snmpd_sugid=${snmpd_sugid:-"NO"} +snmpd_sugid=${snmpd_sugid:-"YES"} pidfile=${snmpd_pidfile:-"/var/run/net_snmpd.pid"} diff --git a/net-mgmt/net-snmp/files/snmptrapd.in b/net-mgmt/net-snmp/files/snmptrapd.in index 43008b9ae509..6c7bc93a2a03 100644 --- a/net-mgmt/net-snmp/files/snmptrapd.in +++ b/net-mgmt/net-snmp/files/snmptrapd.in @@ -7,16 +7,16 @@ # # snmptrapd_enable="YES" # -# Add the following line to make snmptrapd drop privileges after -# initialization. Make sure that configuration files are readable by the snmpd -# user. +# Add the following line to make snmptrapd run as root. By default it drops +# privileges after initialization, but some configurations may require root +# privileges. # -# snmptrapd_sugid="YES" +# snmptrapd_sugid="NO" # snmptrapd_enable=${snmptrapd_enable-"NO"} snmptrapd_flags=${snmptrapd_flags-"-p /var/run/snmptrapd.pid"} -snmptrapd_sugid=${snmptrapd_sugid-"NO"} +snmptrapd_sugid=${snmptrapd_sugid-"YES"} . /etc/rc.subr