Text only | Text with Images

OPNsense Forum

English Forums => 24.7, 24.10 Legacy Series => Topic started by: SMiTTY on September 06, 2024, 03:26:40 PM

Title: Net-SNMP running as snmpd user
Post by: SMiTTY on September 06, 2024, 03:26:40 PM
We have a number of Business editions rolled out and noticing that we can't query services.

When running with the following we only get back the snmpd service

snmpd  47456   0.0  0.2   38816 26476  -  S    08:01       0:00.01 /usr/local/sbin/snmpd -p /var/run/net_snmpd.pid -u snmpd -g snmpd

zabbix:~$ snmpwalk -v2c -cExample foo.bar.com .1.3.6.1.2.1.25.4.2.1.2
iso.3.6.1.2.1.25.4.2.1.2.47456 = STRING: "snmpd"

If I kill the process and start as root, we get the full list.

root   93943   0.0  0.2   38816 26296  -  S    08:02       0:00.01 /usr/local/sbin/snmpd -p /var/run/net_snmpd.pid

zabbix:~$ snmpwalk -v2c -cExample foo.bar.com .1.3.6.1.2.1.25.4.2.1.2
iso.3.6.1.2.1.25.4.2.1.2.20 = STRING: "lighttpd"
iso.3.6.1.2.1.25.4.2.1.2.315 = STRING: "python3.11"
iso.3.6.1.2.1.25.4.2.1.2.317 = STRING: "python3.11"
iso.3.6.1.2.1.25.4.2.1.2.563 = STRING: "devd"
iso.3.6.1.2.1.25.4.2.1.2.8724 = STRING: "ntpd"
iso.3.6.1.2.1.25.4.2.1.2.12072 = STRING: "dpinger"
iso.3.6.1.2.1.25.4.2.1.2.12829 = STRING: "daemon"
iso.3.6.1.2.1.25.4.2.1.2.13264 = STRING: "php"
iso.3.6.1.2.1.25.4.2.1.2.13324 = STRING: "syslog-ng"
iso.3.6.1.2.1.25.4.2.1.2.13761 = STRING: "syslog-ng"
iso.3.6.1.2.1.25.4.2.1.2.21025 = STRING: "csh"
iso.3.6.1.2.1.25.4.2.1.2.25394 = STRING: "daemon"

I don't see this issue with the non Business edition. It always seems to start as root and not the snmpd user.
Title: Re: Net-SNMP running as snmpd user
Post by: SMiTTY on September 06, 2024, 07:01:33 PM
Seems you can set the following in /usr/local/etc/rc.d/snmpd to have it run as root.
Just curious why Business vs Community causes this break.

snmpd_sugid="NO"

Title: Re: Net-SNMP running as snmpd user
Post by: doktornotor on September 06, 2024, 07:16:45 PM
Code Select
# cat /usr/local/opnsense/service/templates/OPNsense/Netsnmp/snmpd
{% if helpers.exists('OPNsense.netsnmp.general.enabled') and OPNsense.netsnmp.general.enabled == '1' %}
snmpd_setup="/usr/local/opnsense/scripts/OPNsense/Netsnmp/setup.sh"
snmpd_enable="YES"
snmpd_sugid="NO"
{% else %}
snmpd_enable="NO"
{% endif %}



Also, there's been some great upstream idea (https://cgit.freebsd.org/ports/commit/net-mgmt/net-snmp?id=3327b2e94adbc1fa1c6299ed04942395e5de650a) - which shouldn't be relevant here - but definitely broke things nicely (https://forums.freebsd.org/threads/net-snmp-wont-start-with-setgid-operation-not-permitted.94111/#post-662397).

It's most secure when it's not running at all. You are just half-way there on business, apparently. :-*
Text only | Text with Images