Chrooting an SNMP AgentX application
Hi! I am writing some kind of application (https://trac.luffy.cx/lldpd) that behaves like an AgentX using NetSNMP API. I would like to do some privilege separation and chrooting. However, NetSNMP API do a lot of things that makes the task a bit difficult: - It tries to read a lot of MIB. This is not possible since it is chrooted. I have tried to set MIB and MIBDIRS to some other values but without success: Cannot find module (HOST-RESOURCES-MIB): At line 0 in (none) Cannot find module (HOST-RESOURCES-TYPES): At line 0 in (none) Cannot find module (UCD-DLMOD-MIB): At line 0 in (none) Cannot find module (UCD-DISKIO-MIB): At line 0 in (none) What is the best way to avoid to load any MIB without rewriting init_agent or init_snmp? Some netsnmp_ds_set_string? - It tries to use a persistent store. I am not interested in this feature but I did not find an easy way to disable it. Therefore, I get some errors when exiting: Creating directory: /var Failed to create the persistent directory for /var/lib/snmp/lldpAgent.conf read_config_store open failure on /var/lib/snmp/lldpAgent.conf How to disable this feature? My main problem is with the socket. Actually, if NETSNMP_AGENTX_SOCKET starts with /, I chroot into the base directory containing the socket and use netsnmp_ds_set_string to change the socket to the basename of the file. However, the user has to configure snmpd to give additional permissions on this socket. I would prefer to handle the opening of the socket in the privileged part of the application. If I just initialize the agent while outside the chroot, I won't be able to reconnect in case of problems. Would it be possible to write a custom transport which inherits and replaces Unix one with a netsnmp_unix_transport() function that will handle correctly the opening of the socket? From the code source, it seems that I could use netsnmp_tdomain_register. How to ensure that my new transport will override the actual one? Any idea will be welcome. Thanks. -- I WILL NOT FAKE MY WAY THROUGH LIFE I WILL NOT FAKE MY WAY THROUGH LIFE I WILL NOT FAKE MY WAY THROUGH LIFE -+- Bart Simpson on chalkboard in episode 7F03 - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
RE: Unknown engine ID
From: Cardoza, Eric D. Sent: Friday, November 14, 2008 3:03 PM To: 'Mike Ayers'; net-snmp-users@lists.sourceforge.net Subject: RE: Unknown engine ID I apologize for my ignorance of community support list usage. I am an old IBMer and not familiar with the proper open source community behavior. Also, I notice as I read the postings on the list that my posting is the only one that does not have a Topic heading. Please let me know how I can establish a Topic for my posting. Thank you for your help and patience. Here is the information you requested. OS: Linux 2.6.9-34.ELsmp #1 SMP Fri Feb 24 16:54:53 EST 2006 i686 i686 i386 GNU/Linux NET-SNMP build from Red Hat Network: net-snmp-devel-5.1.2-13.el4_7.2 net-snmp-libs-5.1.2-13.el4_7.2 net-snmp-utils-5.1.2-13.el4_7.2 net-snmp-5.1.2-13.el4_7.2 I did not explicitly set the engineID. I had read in the Net-SNMP docs that it was recommended to let net-snmp generate it. Thank you. _ Eric Cardoza -Original Message- From: Mike Ayers [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2008 2:46 PM To: Cardoza, Eric D.; net-snmp-users@lists.sourceforge.net Subject: RE: Unknown engine ID From: Cardoza, Eric D. [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2008 9:55 AM Hello Mr. Ayers. Talk to the list, not the individual, please. The only tool is net-snmp. net-snmp is not a tool - it is a collection of tools. As you see from the information in my email, I am using snmp commands such as snmpget or snmpwalk to query the MIBs. For a few minutes after I start the snmpd daemon on the system which I am querying, the snmp commands return OID data. Then after a few minutes, I get the Unknown engine ID msg. I must then stop and restart the snmpd daemon on the target system for the snmp commands to retrieve data again. I am not using any external software product in this test. H - this is *very* strange and should never happen - the engineID should be a constant for an engine. Can you please submit details for the installation: - what OS are you running on? - where did the build come from? - Are you explicitly setting the engineId in snmpd.conf? That's a start... Thanks, Mike - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users