[Pkg-net-snmp-devel] Bug#441871: snmpd: should really handle the set GID option better and possible security problem

Marc Dequènes mdequenes at proformatique.com
Tue Sep 11 15:48:02 UTC 2007

Package: snmpd
Version: 5.3.1-8
Severity: standard
Tags: security


When you add "-g snmpgroup" option in SNMPDOPTS variable in
'/etc/default/snmpd', the SNMP daemon should switch to this group, but
it only works with numeric IDs. According to the manual page, this is
the correct behavior, even if this is not logical as the "-u" option is
more flexible. Whatever, it should complains in the log loudly and
refuse to run, as it is a security threat to run without administrator's
wanted permissions.

I wonder why the snmpd_set_agent_group function is not used in
agent/snmpd.c (line 580) instead of calling netsnmp_ds_set_int
directly. This function checks for group names and properly advertise in
the logs when the group name or group id is not found.

In the meanwhile, but i may be wrong, it seems the "-u" option only
change the running uid, without changing the gid (around line 972 in
agent/snmpd.c), leaving it to "rrot" if no "-g" option is used. So the
"-u snmp" default in Debian is probably not sufficient to ensure a good
security level.

Could you have a look and tell me your opinion ?

Marc Dequènes
Homepage: http://www.proformatique.com/
Proformatique - 67 rue Voltaire - 92800 Puteaux
Tel. : 01 41 38 99 64 - Fax. : 01 41 38 99 70
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-net-snmp-devel/attachments/20070911/504b59fd/attachment.pgp 

More information about the Pkg-net-snmp-devel mailing list