OoO Peu avant le début de l'après-midi du dimanche 04 janvier 2009, vers
13:51, "Nikos Balkanas" <nbalka...@gmail.com> disait :
> 1) Default agentx configuration (master agentx) is TCP:705 from
> anywhere. This is not the default Unix socket as told in th man
> pages. It should be restricted in the configuration and not let as is.
Default agentx configuration is /var/agentx/master. If it fails, it
fallback to TCP. This is done in agentx_config_init():
,----
| netsnmp_register_default_domain("agentx", "unix");
| netsnmp_register_default_target("agentx", "unix", NETSNMP_AGENTX_SOCKET);
| #define val(x) __STRING(x)
| netsnmp_register_default_target("agentx", "tcp", ":" val(AGENTX_PORT));
`----
> 2) Permissions can be restricted to localhost only. That is good, but
> still any local user can hijack root snmp sessions (application,
> server, etc.). Permissions on the unix socket affect the permissions
> on the file itself, i.e. noone can inject snmp commands from the file
> system, which is a good thing. Still any local user can use a subagent
> and without any authentication can exploit the whole snmp server tree.
If you use an Unix socket, the only way to connect to the master agent
is to connect to this socket. On Linux, the rights set on this socket
and on the directory containing this socket will be checked before
connection is allowed. I don't know if this is done on other Unixes.
> Unfortunately sockets, unix or TCP, do not support permissions in
> their protocol.
Unix sockets allow credential transport (SCM_CREDENTIALS) on Linux and
on many BSD. This is not done in NetSNMP however.
--
panic("huh?\n");
2.2.16 /usr/src/linux/arch/i386/kernel/smp.c
------------------------------------------------------------------------------
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
