[Pkg-net-snmp-devel] Bug#911216: snmpd: Upgrading the package may change UID/GID of the Debian-snmp user, triggering e.g. rkhunter warnings

Ramon Cahenzli rca at psy-q.ch
Wed Oct 17 09:00:27 BST 2018

Package: snmpd
Version: 5.7.3+dfsg-1.7+deb9u1
Severity: normal           
Dear Maintainer,

Upgrading the snmpd package appears to remove and re-add the user
"Debian-snmp" every time. If any other users have been removed in the
meantime, this triggers a change of UID/GID for Debian-snmp, and that
in turn may trigger an IDS, antivirus or anti-rootkit solution like
rkhunter to raise an alarm.

Steps to reproduce:

  1. Add a new system user.

  2. Install the snmpd package.

  3. Remove the system user added during 1.

  4. Upgrade the snmpd package (e.g. by adding the security repository
     where a newer version is available)

  5. Observe that the Debian-snmp user has been removed and re-added
     while upgrading the package, thus UID/GID has changed.

Please note that step 3 may also be performed by any packages added or
removed intermittently, it doesn't have to be a manual operation
consciously performed by an admin.

After such an upgrade, rkhunter now reports:

Info: Starting test name 'passwd_changes'
   Checking for passwd file changes                [ Warning ]
 Warning: User 'snmp' has been removed from the passwd file.
 Warning: Changes found in the passwd file for user 'Debian-snmp': 
          The UID has changed from '117' to '109' 
          The GID has changed from '123' to '113'

Info: Starting test name 'group_changes'
   Checking for group file changes                 [ Warning ]
 Warning: Group 'snmp' has been removed from the group file.
 Warning: Changes found in the group file for group 'Debian-snmp': 
          The group number has changed from '123' to '113'

The expected result would be that Debian-snmp is not removed and
re-added during every upgrade, but that the user simply remains there
and also keeps its GID and UID.

-- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages snmpd depends on:
ii  adduser                3.115
ii  debconf [debconf-2.0]  1.5.61
ii  init-system-helpers    1.48
ii  libc6                  2.24-11+deb9u3
ii  libsnmp-base           5.7.3+dfsg-1.7+deb9u1
ii  libsnmp30              5.7.3+dfsg-1.7+deb9u1
ii  lsb-base               9.20161125

snmpd recommends no packages.

Versions of packages snmpd suggests:
pn  snmptrapd  <none>

-- Configuration Files:
/etc/default/snmpd changed:
export MIBS=
SNMPDOPTS='-LS4d -Lf /dev/null -u snmp -g snmp -I
-smux,mteTrigger,mteTriggerConf -p /run/snmpd.pid'

/etc/snmp/snmpd.conf [Errno 13] Permission denied:
'/etc/snmp/snmpd.conf' /etc/snmp/snmptrapd.conf [Errno 13] Permission
denied: '/etc/snmp/snmptrapd.conf'

-- debconf information:

More information about the Pkg-net-snmp-devel mailing list