FreeBSD Security Advisory FreeBSD-SA-14:07.devfs
Matthew Seaman
matthew at FreeBSD.org
Wed Apr 30 19:21:26 UTC 2014
On 30/04/2014 19:58, Xin Li wrote:
> On 04/30/14 11:51, Corey Smith wrote:
>>> It would be interesting to find out if we could teach net-snmpd
>>> to use alternative methods to access data it needs
>
>> It is not necessary if you build net-mgmt/net-snmp with the
>> UNPRIVILEGED knob set.
>
> Will there be any lost functionality with that knob set? (I don't use
> net-snmp myself) If there is no lost functional, I think it's
> sensible to hard wire that option -- giving access to /dev/[k]mem
> makes me feel quite nervous, especially for network facing daemons...
Yeah. net-snmp is not something to expose to the internet in general.
Private networks only is my rule.
You can start snmpd with the '-r' flag which means it will at least run
without needing access to /dev/mem or anything else privileged, but at
the cost of reduced functionality. For instance the 'proc foo' test to
check on the presence of a foo process doesn't work. Quite why that
should need rootly privilege I do not know: it's effectively the same as
grepping the output of 'ps -acx'.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1036 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140430/a5d2b938/attachment.sig>
More information about the freebsd-security
mailing list