2008-12-07 8:04
No Comments
With a grsec-patched kernel, only members of the specific group #112 are allowed to access /proc, but having the snmp user in grsec group is not enough, because snmpd doesn't set groups the user belongs to properly. You can use the -g flag, but it will only change the owner group, and still won't set groups to snmpd.
For instance, without setting the -g flag:
Gid: 0 0 0 0
Groups: 0
With -g 112:
Uid: 118 118 118 118
Gid: 112 112 112 112
Groups: 112
I wrote this quick&dirty little patch, to enable correct group attribution:
--- snmpd-orig/agent/snmpd.c 2007-07-19 23:01:43.000000000 +0200
+++ snmpd-patch/agent/snmpd.c 2008-11-17 15:02:04.000000000 +0100
@@ -960,7 +960,7 @@
DEBUGMSGTL(("snmpd/main", "Changing gid to %d.\n", gid));
if (setgid(gid) == -1
#ifdef HAVE_SETGROUPS
- || setgroups(1, (gid_t *)&gid) == -1
+ || initgroups(getpwuid(uid)->pw_name, gid) == -1
#endif
) {
snmp_log_perror("setgid failed");
@@ -970,6 +970,14 @@
}
}
}
+ else if(initgroups(getpwuid(uid)->pw_name, getpwuid(uid)->pw_gid) == -1)
+ {
+ snmp_log_perror("initgroups failed");
+ if (!netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID,
+ NETSNMP_DS_AGENT_NO_ROOT_ACCESS)) {
+ exit(1);
+ }
+ }
#endif
#ifdef HAVE_SETUID
if ((uid = netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,
Now I do have:
Uid: 118 118 118 118
Gid: 112 112 112 112
Groups: 112 65534