The current AGENT_DIRECTORY_MODE, which is used to create the persistent
directory if it doesn't exist, is 0700. This was also used when creating the
MIB and cert index directories, meaning that if snmpd is run as root, regular
users can't get to the indexes.
I'd like to make a few changes:
1) change the AGENT_DIRECTORY_MODE to 0711 (add group/world execute)
2) introduce new PUBLIC_DIRECTORY_MODE 0755 for index directories
3) check/create persistent directory earlier during startup, so we can
create it with the right permissions
4) use PUBLIC_DIRECTORY_MODE for MIB/cert index directories.
proposed patch attached. I've tested it, and had one favorable user report as
well.
Thoughts?
diff --git a/acconfig.h b/acconfig.h
index 9a5d0ec..aa64f1a 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -115,8 +115,14 @@
/* AGENT_DIRECTORY_MODE: the mode the agents should use to create
directories with. Since the data stored here is probably sensitive, it
- probably should be read-only by root/administrator. */
-#define NETSNMP_AGENT_DIRECTORY_MODE 0700
+ probably should be read-only by root/administrator, and executable by
+ group/world (for access to public subdirs). */
+#define NETSNMP_AGENT_DIRECTORY_MODE 0711
+
+/* PUBLIC_DIRECTORY_MODE: the mode the library should use to create public
+ directories with. Since the data stored here is public, it should be
+ world readable. */
+#define NETSNMP_PUBLIC_DIRECTORY_MODE 0755
/* MAX_PERSISTENT_BACKUPS:
* The maximum number of persistent backups the library will try to
diff --git a/include/net-snmp/net-snmp-config.h.in b/include/net-snmp/net-snmp-config.h.in
index 726a515..c9df593 100644
--- a/include/net-snmp/net-snmp-config.h.in
+++ b/include/net-snmp/net-snmp-config.h.in
@@ -1681,8 +1678,14 @@
/* AGENT_DIRECTORY_MODE: the mode the agents should use to create
directories with. Since the data stored here is probably sensitive, it
- probably should be read-only by root/administrator. */
-#define NETSNMP_AGENT_DIRECTORY_MODE 0700
+ probably should be read-only by root/administrator, and executable by
+ group/world (for access to public subdirs). */
+#define NETSNMP_AGENT_DIRECTORY_MODE 0711
+
+/* PUBLIC_DIRECTORY_MODE: the mode the library should use to create public
+ directories with. Since the data stored here is public, it should be
+ world readable. */
+#define NETSNMP_PUBLIC_DIRECTORY_MODE 0755
/* MAX_PERSISTENT_BACKUPS:
* The maximum number of persistent backups the library will try to
diff --git a/snmplib/cert_util.c b/snmplib/cert_util.c
index 6d9efe5..94df9e7 100644
--- a/snmplib/cert_util.c
+++ b/snmplib/cert_util.c
@@ -783,7 +783,7 @@ _certindexes_load( void )
if ( dir == NULL ) {
DEBUGMSGT(("cert:index:load",
"creating new cert_indexes directory\n"));
- mkdirhier( filename, NETSNMP_AGENT_DIRECTORY_MODE, 0);
+ mkdirhier( filename, NETSNMP_PUBLIC_DIRECTORY_MODE, 0);
return;
}
diff --git a/snmplib/mib.c b/snmplib/mib.c
index 7fb7986..a3364a6 100644
--- a/snmplib/mib.c
+++ b/snmplib/mib.c
@@ -2784,7 +2784,7 @@ netsnmp_mibindex_load( void )
dir = opendir( tmpbuf );
if ( dir == NULL ) {
DEBUGMSGTL(("mibindex", "load: (new)\n"));
- mkdirhier( tmpbuf, NETSNMP_AGENT_DIRECTORY_MODE, 0);
+ mkdirhier( tmpbuf, NETSNMP_PUBLIC_DIRECTORY_MODE, 0);
return;
}
diff --git a/snmplib/snmp_api.c b/snmplib/snmp_api.c
index df44d75..cf98d72 100644
--- a/snmplib/snmp_api.c
+++ b/snmplib/snmp_api.c
@@ -95,6 +95,9 @@ SOFTWARE.
#include <sys/net/if_dl.h>
#endif
#endif
+#if HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
#include <errno.h>
#if HAVE_LOCALE_H
@@ -788,6 +791,17 @@ register_default_handlers(void)
netsnmp_register_service_handlers();
}
+static void
+netsnmp_init_persistent_dir(void)
+{
+ struct stat statbuf;
+
+ if (stat(get_persistent_directory(), &statbuf) != 0)
+ mkdirhier(get_persistent_directory(), NETSNMP_AGENT_DIRECTORY_MODE, 0);
+
+ return;
+}
+
static int init_snmp_init_done = 0; /* To prevent double init's. */
/**
* Calls the functions to do config file loading and mib module parsing
@@ -848,6 +862,7 @@ init_snmp(const char *type)
#endif
read_premib_configs();
+ netsnmp_init_persistent_dir();
#ifndef NETSNMP_DISABLE_MIB_LOADING
netsnmp_init_mib();
#endif /* NETSNMP_DISABLE_MIB_LOADING */
------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
Net-snmp-coders mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
