[Pkg-net-snmp-devel] Bug#911216: snmpd: Upgrading the package may change UID/GID of the Debian-snmp user, triggering e.g. rkhunter warnings
rca at psy-q.ch
Wed Oct 17 09:00:27 BST 2018
Upgrading the snmpd package appears to remove and re-add the user
"Debian-snmp" every time. If any other users have been removed in the
meantime, this triggers a change of UID/GID for Debian-snmp, and that
in turn may trigger an IDS, antivirus or anti-rootkit solution like
rkhunter to raise an alarm.
Steps to reproduce:
1. Add a new system user.
2. Install the snmpd package.
3. Remove the system user added during 1.
4. Upgrade the snmpd package (e.g. by adding the security repository
where a newer version is available)
5. Observe that the Debian-snmp user has been removed and re-added
while upgrading the package, thus UID/GID has changed.
Please note that step 3 may also be performed by any packages added or
removed intermittently, it doesn't have to be a manual operation
consciously performed by an admin.
After such an upgrade, rkhunter now reports:
Info: Starting test name 'passwd_changes'
Checking for passwd file changes [ Warning ]
Warning: User 'snmp' has been removed from the passwd file.
Warning: Changes found in the passwd file for user 'Debian-snmp':
The UID has changed from '117' to '109'
The GID has changed from '123' to '113'
Info: Starting test name 'group_changes'
Checking for group file changes [ Warning ]
Warning: Group 'snmp' has been removed from the group file.
Warning: Changes found in the group file for group 'Debian-snmp':
The group number has changed from '123' to '113'
The expected result would be that Debian-snmp is not removed and
re-added during every upgrade, but that the user simply remains there
and also keeps its GID and UID.
-- System Information:
Debian Release: 9.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages snmpd depends on:
ii adduser 3.115
ii debconf [debconf-2.0] 1.5.61
ii init-system-helpers 1.48
ii libc6 2.24-11+deb9u3
ii libsnmp-base 5.7.3+dfsg-1.7+deb9u1
ii libsnmp30 5.7.3+dfsg-1.7+deb9u1
ii lsb-base 9.20161125
snmpd recommends no packages.
Versions of packages snmpd suggests:
pn snmptrapd <none>
-- Configuration Files:
SNMPDOPTS='-LS4d -Lf /dev/null -u snmp -g snmp -I
-smux,mteTrigger,mteTriggerConf -p /run/snmpd.pid'
/etc/snmp/snmpd.conf [Errno 13] Permission denied:
'/etc/snmp/snmpd.conf' /etc/snmp/snmptrapd.conf [Errno 13] Permission
-- debconf information:
More information about the Pkg-net-snmp-devel