Hi list, We have a small issue with snmpd daemon in OpenBSD. If people use SNMPv2c, they should explicitly set "read-write" community name to some [probably random-generated] string, because otherwise everybody is able to alter values of some SNMP nodes (the default value for read-write community is "private", which is not very secure, probably).
Attached is the patch that adds new configuration file parameter, "nowrite", with values "yes" and "no", that disallows any write attempts to any SNMP node regardless of specified read-write community string. $ snmpset -c private -v2c 127.0.0.1 system.sysContact.0 s SOME_CRAP Error in packet. Reason: (readOnly) The two parties used do not have access to use the specified SNMP PDU. Failed object: SNMPv2-MIB::sysContact.0 Hope you will find it useful. // Ilya
Index: parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/snmpd/parse.y,v
retrieving revision 1.23
diff -u -r1.23 parse.y
--- parse.y 17 Sep 2012 19:00:06 -0000 1.23
+++ parse.y 2 Feb 2013 11:34:01 -0000
@@ -117,7 +117,7 @@
%token LISTEN ON
%token SYSTEM CONTACT DESCR LOCATION NAME OBJECTID SERVICES RTFILTER
%token READONLY READWRITE OCTETSTRING INTEGER COMMUNITY TRAP RECEIVER
-%token SECLEVEL NONE AUTH ENC USER AUTHKEY ENCKEY ERROR
+%token SECLEVEL NONE AUTH ENC USER AUTHKEY ENCKEY ERROR NOWRITE
%token <v.string> STRING
%token <v.number> NUMBER
%type <v.string> hostcmn
@@ -244,6 +244,12 @@
| SECLEVEL seclevel {
conf->sc_min_seclevel = $2;
}
+ | NOWRITE yesno {
+ if ($2 == 1)
+ conf->nowrite = 1;
+ else
+ conf->nowrite = 0;
+ }
| USER STRING {
const char *errstr;
user = usm_newuser($2, &errstr);
@@ -493,6 +499,7 @@
{ "location", LOCATION },
{ "name", NAME },
{ "none", NONE },
+ { "nowrite", NOWRITE },
{ "oid", OBJECTID },
{ "on", ON },
{ "read-only", READONLY },
Index: snmpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/snmpd/snmpd.conf.5,v
retrieving revision 1.21
diff -u -r1.21 snmpd.conf.5
--- snmpd.conf.5 18 Sep 2012 10:03:45 -0000 1.21
+++ snmpd.conf.5 2 Feb 2013 11:34:01 -0000
@@ -95,6 +95,14 @@
.Ar private .
.Pp
.It Xo
+.Ic nowrite
+.Pq Ic yes \*(Ba\ no
+.Xc
+If set to
+.Ic yes ,
+disallow any SNMP write requests, regardless of read-write community.
+.Pp
+.It Xo
.Ic filter-routes
.Pq Ic yes \*(Ba\ no
.Xc
Index: snmpd.h
===================================================================
RCS file: /cvs/src/usr.sbin/snmpd/snmpd.h,v
retrieving revision 1.39
diff -u -r1.39 snmpd.h
--- snmpd.h 1 Oct 2012 11:36:55 -0000 1.39
+++ snmpd.h 2 Feb 2013 11:34:02 -0000
@@ -420,6 +420,7 @@
int sc_rtfilter;
int sc_min_seclevel;
+ int nowrite;
};
/* control.c */
Index: snmpe.c
===================================================================
RCS file: /cvs/src/usr.sbin/snmpd/snmpe.c,v
retrieving revision 1.32
diff -u -r1.32 snmpe.c
--- snmpe.c 29 Nov 2012 14:53:24 -0000 1.32
+++ snmpe.c 2 Feb 2013 11:34:02 -0000
@@ -697,7 +697,7 @@
ber_free_elements(c);
goto varfail;
case SNMP_C_SETREQ:
- if (mps_setreq(b, &o) == 0)
+ if (env->nowrite == 0 && mps_setreq(b, &o) == 0)
break;
msg->sm_error = SNMP_ERROR_READONLY;
goto varfail;
signature.asc
Description: This is a digitally signed message part.
