diff options
Diffstat (limited to 'net-mgmt/net-snmp/files')
| -rw-r--r-- | net-mgmt/net-snmp/files/net-snmp.conf | 2 | ||||
| -rw-r--r-- | net-mgmt/net-snmp/files/patch-agent_kernel.c | 40 | ||||
| -rw-r--r-- | net-mgmt/net-snmp/files/patch-agent_mibgroup_mibII_ipv6.c | 127 | ||||
| -rw-r--r-- | net-mgmt/net-snmp/files/patch-agent_mibgroup_mibII_tcp.c | 22 | ||||
| -rw-r--r-- | net-mgmt/net-snmp/files/patch-include_net-snmp_system_freebsd15.h | 6 | ||||
| -rw-r--r-- | net-mgmt/net-snmp/files/pkg-message.in | 46 | ||||
| -rw-r--r-- | net-mgmt/net-snmp/files/snmpd.in | 49 | ||||
| -rw-r--r-- | net-mgmt/net-snmp/files/snmptrapd.in | 24 |
8 files changed, 301 insertions, 15 deletions
diff --git a/net-mgmt/net-snmp/files/net-snmp.conf b/net-mgmt/net-snmp/files/net-snmp.conf index 926d513d5c2b..e392ad4c312a 100644 --- a/net-mgmt/net-snmp/files/net-snmp.conf +++ b/net-mgmt/net-snmp/files/net-snmp.conf @@ -3,4 +3,4 @@ # see newsyslog.conf(5) for details # # logfilename [owner:group] mode count size when flags [/pid_file] [sig_num] -/var/log/snmpd.log 644 7 100 * J /var/run/net_snmpd.pid +/var/log/snmpd.log snmpd:snmpd 644 7 100 * J /var/run/net_snmpd.pid diff --git a/net-mgmt/net-snmp/files/patch-agent_kernel.c b/net-mgmt/net-snmp/files/patch-agent_kernel.c new file mode 100644 index 000000000000..133b04bd1824 --- /dev/null +++ b/net-mgmt/net-snmp/files/patch-agent_kernel.c @@ -0,0 +1,40 @@ +--- agent/kernel.c.orig 2023-08-15 20:32:01 UTC ++++ agent/kernel.c +@@ -252,7 +252,37 @@ free_kmem(void) + kmem = -1; + } + } ++#elif defined(__FreeBSD__) ++kvm_t *kd; + ++/** ++ * Initialize the libkvm descriptor. On FreeBSD we can use most of libkvm ++ * without requiring /dev/kmem access. Only kvm_nlist() and kvm_read() need ++ * that, and we don't use them. ++ * ++ * @return TRUE upon success; FALSE upon failure. ++ */ ++int ++init_kmem(const char *file) ++{ ++ char err[4096]; ++ ++ kd = kvm_openfiles(NULL, "/dev/null", NULL, O_RDONLY, err); ++ if (!kd) { ++ snmp_log(LOG_CRIT, "init_kmem: kvm_openfiles failed: %s\n", err); ++ return FALSE; ++ } ++ return TRUE; ++} ++ ++void ++free_kmem(void) ++{ ++ if (kd != NULL) { ++ (void)kvm_close(kd); ++ kd = NULL; ++ } ++} + #else + int + init_kmem(const char *file) diff --git a/net-mgmt/net-snmp/files/patch-agent_mibgroup_mibII_ipv6.c b/net-mgmt/net-snmp/files/patch-agent_mibgroup_mibII_ipv6.c new file mode 100644 index 000000000000..ad4ea51fe56a --- /dev/null +++ b/net-mgmt/net-snmp/files/patch-agent_mibgroup_mibII_ipv6.c @@ -0,0 +1,127 @@ +--- agent/mibgroup/mibII/ipv6.c.orig 2023-08-15 20:32:01 UTC ++++ agent/mibgroup/mibII/ipv6.c +@@ -5,9 +5,6 @@ + + #include <net-snmp/net-snmp-config.h> + #include <net-snmp/net-snmp-features.h> +-/* For FreeBSD */ +-#define _WANT_INPCB 1 +-#define _WANT_TCPCB 1 + #include <sys/types.h> + #include <sys/socket.h> + #ifdef HAVE_SYS_IOCTL_H +@@ -1513,8 +1510,10 @@ var_udp6(register struct variable * vp, + int result; + int i, j; + caddr_t p; +-#if defined(openbsd4) || defined(freebsd3) ++#if defined(openbsd4) + static struct inpcb in6pcb, savpcb; ++#elif defined(freebsd3) ++ static struct xinpcb in6pcb, savpcb; + #else + static struct in6pcb in6pcb, savpcb; + #endif +@@ -1614,8 +1613,7 @@ var_udp6(register struct variable * vp, + DEBUGMSGTL(("mibII/ipv6", "looping: p=%p\n", p)); + + #if defined(freebsd3) +- /* To do: fill in in6pcb properly. */ +- memset(&in6pcb, 0, sizeof(in6pcb)); ++ in6pcb = *(struct xinpcb *) xig; + #elif defined(darwin) + in6pcb = ((struct xinpcb *) xig)->xi_inp; + #else +@@ -2108,12 +2106,18 @@ var_tcp6(register struct variable * vp, + int result; + int i, j; + caddr_t p; +-#if defined(openbsd4) || defined(freebsd3) ++#if defined(openbsd4) + static struct inpcb in6pcb, savpcb; ++#elif defined(freebsd3) ++ static struct xinpcb in6pcb; ++ static int savstate; + #else + static struct in6pcb in6pcb, savpcb; + #endif ++#if !defined(freebsd3) + struct tcpcb tcpcb; ++#endif ++ int state; + int found, savnameLen; + #if defined(__NetBSD__) && __NetBSD_Version__ >= 106250000 || defined(openbsd4) /*1.6Y*/ + struct inpcbtable tcbtable; +@@ -2208,8 +2212,7 @@ var_tcp6(register struct variable * vp, + DEBUGMSGTL(("mibII/ipv6", "looping: p=%p\n", p)); + + #if defined(freebsd3) +- /* To do: fill in in6pcb properly. */ +- memset(&in6pcb, 0, sizeof(in6pcb)); ++ in6pcb = ((struct xtcpcb *) xig)->xt_inp; + #elif defined(dragonfly) + in6pcb = xtp->xt_inp; + #elif defined(darwin) +@@ -2294,7 +2297,11 @@ var_tcp6(register struct variable * vp, + #endif + result = snmp_oid_compare(name, *length, newname, j); + if (exact && (result == 0)) { ++#if defined(freebsd3) ++ savstate = ((struct xtcpcb *) xig)->t_state; ++#else + memcpy(&savpcb, &in6pcb, sizeof(savpcb)); ++#endif + savnameLen = j; + memcpy(savname, newname, j * sizeof(oid)); + found++; +@@ -2305,7 +2312,11 @@ var_tcp6(register struct variable * vp, + */ + if ((savnameLen == 0) || + (snmp_oid_compare(savname, savnameLen, newname, j) > 0)) { ++#if defined(freebsd3) ++ savstate = ((struct xtcpcb *) xig)->t_state; ++#else + memcpy(&savpcb, &in6pcb, sizeof(savpcb)); ++#endif + savnameLen = j; + memcpy(savname, newname, j * sizeof(oid)); + found++; +@@ -2344,19 +2355,27 @@ var_tcp6(register struct variable * vp, + return NULL; + *length = savnameLen; + memcpy((char *) name, (char *) savname, *length * sizeof(oid)); ++#if defined(freebsd3) ++ state = savstate; ++#elif defined(__NetBSD__) && __NetBSD_Version__ >= 999010400 + memcpy(&in6pcb, &savpcb, sizeof(savpcb)); +-#if defined(__NetBSD__) && __NetBSD_Version__ >= 999010400 + if (!NETSNMP_KLOOKUP(in6pcb.in6p_pcb.inp_ppcb, (char *) &tcpcb, sizeof(tcpcb))) { + DEBUGMSGTL(("mibII/ipv6", "klookup fail for tcb6.tcpcb at %p\n", + in6pcb.in6p_pcb.inp_ppcb)); ++ found = 0; ++ return NULL; ++ } ++ state = (int)tcpcb.t_state; + #else ++ memcpy(&in6pcb, &savpcb, sizeof(savpcb)); + if (!NETSNMP_KLOOKUP(in6pcb.inp_ppcb, (char *) &tcpcb, sizeof(tcpcb))) { + DEBUGMSGTL(("mibII/ipv6", "klookup fail for tcb6.tcpcb at %p\n", + in6pcb.inp_ppcb)); +-#endif + found = 0; + return NULL; + } ++ state = (int)tcpcb.t_state; ++#endif + *write_method = 0; + *var_len = sizeof(long); /* default to 'long' results */ + +@@ -2368,7 +2387,7 @@ var_tcp6(register struct variable * vp, + DEBUGMSGTL(("mibII/ipv6", "magic=%d\n", vp->magic)); + switch (vp->magic) { + case IPV6TCPCONNSTATE: +- long_return = mapTcpState((int)tcpcb.t_state); ++ long_return = mapTcpState(state); + return (u_char *) & long_return; + default: + break; diff --git a/net-mgmt/net-snmp/files/patch-agent_mibgroup_mibII_tcp.c b/net-mgmt/net-snmp/files/patch-agent_mibgroup_mibII_tcp.c index af46e3d86d43..83470a30dedf 100644 --- a/net-mgmt/net-snmp/files/patch-agent_mibgroup_mibII_tcp.c +++ b/net-mgmt/net-snmp/files/patch-agent_mibgroup_mibII_tcp.c @@ -1,5 +1,5 @@ ---- agent/mibgroup/mibII/tcp.c.orig 2023-08-15 20:32:01 UTC -+++ agent/mibgroup/mibII/tcp.c +--- agent/mibgroup/mibII/tcp.c.orig 2023-08-15 13:32:01.000000000 -0700 ++++ agent/mibgroup/mibII/tcp.c 2025-07-10 17:17:00.309421000 -0700 @@ -8,6 +8,14 @@ #include <net-snmp/net-snmp-features.h> #include "mibII_common.h" @@ -15,3 +15,21 @@ #ifdef HAVE_STDLIB_H #include <stdlib.h> #endif +@@ -38,8 +46,17 @@ + #include <netinet/tcpip.h> + #endif + #ifdef HAVE_NETINET_TCP_TIMER_H ++#if __FreeBSD_version >= 1500048 ++#define _KERNEL ++#define max(x, y) (((x) > (y)) ? (x) : (y)) ++#define MSEC_2_TICKS(m) max(1, (uint32_t)((hz == 1000) ? \ ++ (m) : ((uint64_t)(m) * (uint64_t)hz)/(uint64_t)1000)) ++#endif + #include <netinet/tcp_timer.h> ++#if __FreeBSD_version >= 1500048 ++#undef _KERNEL + #endif ++#endif + #ifdef HAVE_NETINET_TCP_VAR_H + #ifdef openbsd7 + #define _KERNEL /* OpenBSD 7.3 */ diff --git a/net-mgmt/net-snmp/files/patch-include_net-snmp_system_freebsd15.h b/net-mgmt/net-snmp/files/patch-include_net-snmp_system_freebsd15.h index d81ec27f83d5..90a4d4e2db1d 100644 --- a/net-mgmt/net-snmp/files/patch-include_net-snmp_system_freebsd15.h +++ b/net-mgmt/net-snmp/files/patch-include_net-snmp_system_freebsd15.h @@ -1,6 +1,6 @@ --- include/net-snmp/system/freebsd15.h.orig 2024-03-02 16:01:17 UTC +++ include/net-snmp/system/freebsd15.h @@ -0,0 +1,3 @@ -+/* freebsd14 is a superset of freebsd13 */ -+#include "freebsd13.h" -+#define freebsd13 freebsd13 ++/* freebsd15 is a superset of freebsd14 */ ++#include "freebsd14.h" ++#define freebsd14 freebsd14 diff --git a/net-mgmt/net-snmp/files/pkg-message.in b/net-mgmt/net-snmp/files/pkg-message.in index e0c144b11bcb..aec6be19f18c 100644 --- a/net-mgmt/net-snmp/files/pkg-message.in +++ b/net-mgmt/net-snmp/files/pkg-message.in @@ -3,7 +3,7 @@ message: <<EOM **** This port installs snmpd, header files and libraries but does not start snmpd by default. - If you want to auto-start snmpd and snmptrapd:, add the following to + If you want to auto-start snmpd and snmptrapd, add the following to /etc/rc.conf: snmpd_enable="YES" @@ -30,4 +30,48 @@ BATCH="yes" EOM } +{ type: upgrade + message: <<EOM +snmpd now drops privileges by default after initialization is completed. +Ensure that any extension commands defined in your snmpd.conf can be executed +by the snmpd user. + +It is possible to start and run snmpd entirely as a non-root user with the +following steps: + +1. Add the following lines to /etc/rc.conf: + + snmpd_user="snmpd" + snmpd_group="snmpd" + snmpd_pidfile="/var/net-snmp/snmpd.pid" + +2. Configure the mac_portacl(4) kernel module: + + a. Load mac_portacl.ko at boot time by adding the following line to + /etc/rc.conf: + + kld_list="mac_portacl" + + b. Configure the following sysctls in sysctl.conf(5): + + net.inet.ip.portrange.reservedhigh=0 + security.mac.portacl.rules=gid:344:udp:161,gid:344:tcp:161,gid:344:tcp:199,gid:344:tcp:705 + + This allows snmpd to bind to these privileged ports without holding + special privileges. + +3. Make sure that the snmpd user has read/write or read-only access to the + following: + + RW - /var/log/snmpd.log + RW - /var/net-snmp/* + RO - /usr/local/share/snmp/* + + Note that snmpd creates the /var/net-snmp directory upon its initial + startup, and this cannot be done by the snmpd user. + +4. Ensure that any and all extension commands defined in snmpd.conf can be + executed by the snmpd user. +EOM +} ] diff --git a/net-mgmt/net-snmp/files/snmpd.in b/net-mgmt/net-snmp/files/snmpd.in index a98404d22bd0..b3e02f1a5586 100644 --- a/net-mgmt/net-snmp/files/snmpd.in +++ b/net-mgmt/net-snmp/files/snmpd.in @@ -8,6 +8,20 @@ # snmpd_enable="YES" # snmpd_flags="<set as needed>" # snmpd_conffile="<set as needed>" +# +# Add the following line to make snmpd run as root. By default it drops +# privileges after initialization, but some configurations may require +# root privileges. In particular, extension scripts may need to be run as root. +# +# snmpd_sugid="NO" +# +# To troubleshoot permission errors, it may be useful to run snmpd with the +# following option in rc.conf: +# +# snmpd_prepend="ktrace -i -f /tmp/snmpd_ktrace.out" +# +# The resulting trace can be inspected with "kdump -f /tmp/snmpd_ktrace.out". +# . /etc/rc.subr @@ -18,6 +32,7 @@ load_rc_config snmpd snmpd_enable=${snmpd_enable:-"NO"} snmpd_flush_cache=${snmpd_flush_cache-"NO"} +snmpd_sugid=${snmpd_sugid:-"YES"} pidfile=${snmpd_pidfile:-"/var/run/net_snmpd.pid"} @@ -25,8 +40,24 @@ command=%%PREFIX%%/sbin/${name} start_precmd=net_snmpd_precmd -net_snmpd_precmd () { - local flag conffile snmpd_conffile_set +check_conffile() +{ + local conffile + + conffile=$1 + + if [ ! -f "${conffile}" ]; then + warn "snmpd configuration file $conffile not found" + return + fi + su -m snmpd -c "test -r ${conffile}" + if [ $? -ne 0 ]; then + warn "snmpd configuration file $conffile not readable by snmpd user" + fi +} + +net_snmpd_precmd() { + local flag conffile snmpd_conffile_set readable if checkyesno snmpd_flush_cache; then rm -vf /var/net-snmp/.snmp-exec-cache @@ -45,11 +76,17 @@ net_snmpd_precmd () { esac done + # -c does not override the default config file. + # if it exists, sanity check + if [ -f %%PREFIX%%/share/snmp/snmpd.conf ]; then + check_conffile %%PREFIX%%/share/snmp/snmpd.conf + fi for conffile in ${snmpd_conffile}; do + check_conffile ${conffile} if [ -f "${conffile}" -a -s "${conffile}" ]; then - snmpd_conffile_set="${snmpd_conffile_set},${conffile}" + snmpd_conffile_set="${snmpd_conffile_set},${conffile}" else - err 1 "snmpd configuration file $conffile not found." + err 1 "snmpd configuration file $conffile not found." fi done @@ -57,6 +94,10 @@ net_snmpd_precmd () { if [ -n "${snmpd_conffile_set}" ]; then rc_flags="-c ${snmpd_conffile_set#,} ${rc_flags}" fi + if checkyesno snmpd_sugid; then + rc_flags="-u snmpd -g snmpd ${rc_flags}" + fi + rc_flags="-p ${pidfile} ${rc_flags}" } diff --git a/net-mgmt/net-snmp/files/snmptrapd.in b/net-mgmt/net-snmp/files/snmptrapd.in index e2a6e01b0da1..6c7bc93a2a03 100644 --- a/net-mgmt/net-snmp/files/snmptrapd.in +++ b/net-mgmt/net-snmp/files/snmptrapd.in @@ -7,19 +7,26 @@ # # snmptrapd_enable="YES" # +# Add the following line to make snmptrapd run as root. By default it drops +# privileges after initialization, but some configurations may require root +# privileges. +# +# snmptrapd_sugid="NO" +# snmptrapd_enable=${snmptrapd_enable-"NO"} snmptrapd_flags=${snmptrapd_flags-"-p /var/run/snmptrapd.pid"} +snmptrapd_sugid=${snmptrapd_sugid-"YES"} . /etc/rc.subr load_rc_config net_snmptrapd if [ ! -z "$net_snmptrapd_enable" ]; then - echo "Warning: \$net_snmptrapd_enable is obsoleted." - echo " Use \$snmptrapd_enable instead." - snmptrapd_enable="$net_snmptrapd_enable" - [ ! -z "$net_snmptrapd_flags" ] && snmptrapd_flags="$net_snmptrapd_flags" + echo "Warning: \$net_snmptrapd_enable is obsolete." + echo " Use \$snmptrapd_enable instead." + snmptrapd_enable="$net_snmptrapd_enable" + [ ! -z "$net_snmptrapd_flags" ] && snmptrapd_flags="$net_snmptrapd_flags" fi name=snmptrapd @@ -29,4 +36,13 @@ command=%%PREFIX%%/sbin/${name} pidfile=/var/run/${name}.pid load_rc_config ${name} + +start_precmd=snmptrapd_precmd + +snmptrapd_precmd() { + if checkyesno snmptrapd_sugid; then + rc_flags="-u snmpd -g snmpd ${rc_flags}" + fi +} + run_rc_command "$1" |