OoO En ce début d'après-midi nuageux du samedi 15 novembre 2008, vers 14:15, je disais:
> I am writing some kind of application (https://trac.luffy.cx/lldpd) that > behaves like an AgentX using NetSNMP API. I would like to do some > privilege separation and chrooting. However, NetSNMP API do a lot of > things that makes the task a bit difficult: > - It tries to read a lot of MIB. This is not possible since it is > chrooted. I have tried to set MIB and MIBDIRS to some other values > but without success: > Cannot find module (HOST-RESOURCES-MIB): At line 0 in (none) > Cannot find module (HOST-RESOURCES-TYPES): At line 0 in (none) > Cannot find module (UCD-DLMOD-MIB): At line 0 in (none) > Cannot find module (UCD-DISKIO-MIB): At line 0 in (none) To solve this, I just used: setenv("MIBS", "", 1); > - It tries to use a persistent store. I am not interested in this > feature but I did not find an easy way to disable it. Therefore, I > get some errors when exiting: > Creating directory: /var > Failed to create the persistent directory for /var/lib/snmp/lldpAgent.conf > read_config_store open failure on /var/lib/snmp/lldpAgent.conf > How to disable this feature? netsnmp_ds_set_boolean(NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_DONT_PERSIST_STATE, TRUE); > My main problem is with the socket. Actually, if NETSNMP_AGENTX_SOCKET > starts with "/", I chroot into the base directory containing the socket > and use netsnmp_ds_set_string to change the socket to the basename of > the file. However, the user has to configure snmpd to give additional > permissions on this socket. I would prefer to handle the opening of the > socket in the privileged part of the application. > If I just initialize the agent while outside the chroot, I won't be able > to reconnect in case of problems. > Would it be possible to write a custom transport which inherits and > replaces Unix one with a netsnmp_unix_transport() function that will > handle correctly the opening of the socket? From the code source, it > seems that I could use netsnmp_tdomain_register. How to ensure that my > new transport will override the actual one? I am in the way of solving this problem. I register my own domain with the same OID as Unix domain and therefore the registration of the builtin Unix domain will fail and my implementation will be used. -- No fortunes found ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
