Net-SNMP running as snmpd user

Started by SMiTTY, September 06, 2024, 03:26:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 06, 2024, 03:26:40 PM
We have a number of Business editions rolled out and noticing that we can't query services.

When running with the following we only get back the snmpd service

snmpd  47456   0.0  0.2   38816 26476  -  S    08:01       0:00.01 /usr/local/sbin/snmpd -p /var/run/net_snmpd.pid -u snmpd -g snmpd

zabbix:~$ snmpwalk -v2c -cExample foo.bar.com .1.3.6.1.2.1.25.4.2.1.2
iso.3.6.1.2.1.25.4.2.1.2.47456 = STRING: "snmpd"

If I kill the process and start as root, we get the full list.

root   93943   0.0  0.2   38816 26296  -  S    08:02       0:00.01 /usr/local/sbin/snmpd -p /var/run/net_snmpd.pid

zabbix:~$ snmpwalk -v2c -cExample foo.bar.com .1.3.6.1.2.1.25.4.2.1.2
iso.3.6.1.2.1.25.4.2.1.2.20 = STRING: "lighttpd"
iso.3.6.1.2.1.25.4.2.1.2.315 = STRING: "python3.11"
iso.3.6.1.2.1.25.4.2.1.2.317 = STRING: "python3.11"
iso.3.6.1.2.1.25.4.2.1.2.563 = STRING: "devd"
iso.3.6.1.2.1.25.4.2.1.2.8724 = STRING: "ntpd"
iso.3.6.1.2.1.25.4.2.1.2.12072 = STRING: "dpinger"
iso.3.6.1.2.1.25.4.2.1.2.12829 = STRING: "daemon"
iso.3.6.1.2.1.25.4.2.1.2.13264 = STRING: "php"
iso.3.6.1.2.1.25.4.2.1.2.13324 = STRING: "syslog-ng"
iso.3.6.1.2.1.25.4.2.1.2.13761 = STRING: "syslog-ng"
iso.3.6.1.2.1.25.4.2.1.2.21025 = STRING: "csh"
iso.3.6.1.2.1.25.4.2.1.2.25394 = STRING: "daemon"

I don't see this issue with the non Business edition. It always seems to start as root and not the snmpd user.
September 06, 2024, 07:01:33 PM #1
Seems you can set the following in /usr/local/etc/rc.d/snmpd to have it run as root.
Just curious why Business vs Community causes this break.

snmpd_sugid="NO"

September 06, 2024, 07:16:45 PM #2 Last Edit: September 06, 2024, 07:23:49 PM by doktornotor
Code Select
# cat /usr/local/opnsense/service/templates/OPNsense/Netsnmp/snmpd
{% if helpers.exists('OPNsense.netsnmp.general.enabled') and OPNsense.netsnmp.general.enabled == '1' %}
snmpd_setup="/usr/local/opnsense/scripts/OPNsense/Netsnmp/setup.sh"
snmpd_enable="YES"
snmpd_sugid="NO"
{% else %}
snmpd_enable="NO"
{% endif %}



Also, there's been some great upstream idea - which shouldn't be relevant here - but definitely broke things nicely.

It's most secure when it's not running at all. You are just half-way there on business, apparently. :-*
Print
Go Up Pages1
User actions