Re: Chrooting an SNMP AgentX application
OoO En ce début d'après-midi nuageux du samedi 15 novembre 2008, vers 14:15, je disais: I am writing some kind of application (https://trac.luffy.cx/lldpd) that behaves like an AgentX using NetSNMP API. I would like to do some privilege separation and chrooting. However, NetSNMP API do a lot of things that makes the task a bit difficult: - It tries to read a lot of MIB. This is not possible since it is chrooted. I have tried to set MIB and MIBDIRS to some other values but without success: Cannot find module (HOST-RESOURCES-MIB): At line 0 in (none) Cannot find module (HOST-RESOURCES-TYPES): At line 0 in (none) Cannot find module (UCD-DLMOD-MIB): At line 0 in (none) Cannot find module (UCD-DISKIO-MIB): At line 0 in (none) To solve this, I just used: setenv(MIBS, , 1); - It tries to use a persistent store. I am not interested in this feature but I did not find an easy way to disable it. Therefore, I get some errors when exiting: Creating directory: /var Failed to create the persistent directory for /var/lib/snmp/lldpAgent.conf read_config_store open failure on /var/lib/snmp/lldpAgent.conf How to disable this feature? netsnmp_ds_set_boolean(NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_DONT_PERSIST_STATE, TRUE); My main problem is with the socket. Actually, if NETSNMP_AGENTX_SOCKET starts with /, I chroot into the base directory containing the socket and use netsnmp_ds_set_string to change the socket to the basename of the file. However, the user has to configure snmpd to give additional permissions on this socket. I would prefer to handle the opening of the socket in the privileged part of the application. If I just initialize the agent while outside the chroot, I won't be able to reconnect in case of problems. Would it be possible to write a custom transport which inherits and replaces Unix one with a netsnmp_unix_transport() function that will handle correctly the opening of the socket? From the code source, it seems that I could use netsnmp_tdomain_register. How to ensure that my new transport will override the actual one? I am in the way of solving this problem. I register my own domain with the same OID as Unix domain and therefore the registration of the builtin Unix domain will fail and my implementation will be used. -- No fortunes found - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
Re: Chrooting an SNMP AgentX application
OoO En cette matinée pluvieuse du dimanche 16 novembre 2008, vers 10:16, je disais: [privilege separation] Would it be possible to write a custom transport which inherits and replaces Unix one with a netsnmp_unix_transport() function that will handle correctly the opening of the socket? From the code source, it seems that I could use netsnmp_tdomain_register. How to ensure that my new transport will override the actual one? I am in the way of solving this problem. I register my own domain with the same OID as Unix domain and therefore the registration of the builtin Unix domain will fail and my implementation will be used. I cannot inherit of methods from snmpUnixDomain since most of them are not public but I have rewritten simpler form of them (assuming local=0, a lot of code is not needed as well as the opaque data structure). The new netsnmp_unix_transport calls the monitor which does the socket+connect part and pass back the file descriptor to the main process. -- BOFH excuse #357: I'd love to help you -- it's just that the Boss won't let me near the computer. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
Chrooting an SNMP AgentX application
Hi! I am writing some kind of application (https://trac.luffy.cx/lldpd) that behaves like an AgentX using NetSNMP API. I would like to do some privilege separation and chrooting. However, NetSNMP API do a lot of things that makes the task a bit difficult: - It tries to read a lot of MIB. This is not possible since it is chrooted. I have tried to set MIB and MIBDIRS to some other values but without success: Cannot find module (HOST-RESOURCES-MIB): At line 0 in (none) Cannot find module (HOST-RESOURCES-TYPES): At line 0 in (none) Cannot find module (UCD-DLMOD-MIB): At line 0 in (none) Cannot find module (UCD-DISKIO-MIB): At line 0 in (none) What is the best way to avoid to load any MIB without rewriting init_agent or init_snmp? Some netsnmp_ds_set_string? - It tries to use a persistent store. I am not interested in this feature but I did not find an easy way to disable it. Therefore, I get some errors when exiting: Creating directory: /var Failed to create the persistent directory for /var/lib/snmp/lldpAgent.conf read_config_store open failure on /var/lib/snmp/lldpAgent.conf How to disable this feature? My main problem is with the socket. Actually, if NETSNMP_AGENTX_SOCKET starts with /, I chroot into the base directory containing the socket and use netsnmp_ds_set_string to change the socket to the basename of the file. However, the user has to configure snmpd to give additional permissions on this socket. I would prefer to handle the opening of the socket in the privileged part of the application. If I just initialize the agent while outside the chroot, I won't be able to reconnect in case of problems. Would it be possible to write a custom transport which inherits and replaces Unix one with a netsnmp_unix_transport() function that will handle correctly the opening of the socket? From the code source, it seems that I could use netsnmp_tdomain_register. How to ensure that my new transport will override the actual one? Any idea will be welcome. Thanks. -- I WILL NOT FAKE MY WAY THROUGH LIFE I WILL NOT FAKE MY WAY THROUGH LIFE I WILL NOT FAKE MY WAY THROUGH LIFE -+- Bart Simpson on chalkboard in episode 7F03 - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users