[Pkg-net-snmp-devel] Bug#965166: Bug#965166: snmpd privilege escalation
Bart Van Assche
bvanassche at acm.org
Tue Jul 21 02:54:21 BST 2020
On 2020-07-19 20:25, Craig Small wrote:
> A patch has been applied to the Net-SNMP v5.8 and master branches that
> removes the EXTEND MIB from the list with default MIBs. See also commit
> c2b96ee74439 ("snmpd: Disable NET-SNMP-EXTEND-MIB support by default").
>
> Is the single line removal in that commit all it needs? From what I can
> see the patch for v5.8 and master branches is just importing c2b96ee74439
> That will make things very easy to fix.
The above matches my understanding.
> Since Net-SNMP already
> supports other mechanisms for extending snmpd, e.g. the extend and
> extendfix directives in snmpd.conf, I propose to disable the EXTEND MIB.
>
> I'm happy to see it go, for the reasons you point out.
>
> Oddly enough, if you set the user in the configuration file and set it
> on the command line with the -u flag, the configuration file parameter
> wins.
>
> root 41574 0.0 0.0 23592 13768 ? Ss 13:12 0:00
> /usr/sbin/snmpd -LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger
> mteTriggerConf -f -p /run/snmpd.pid
A patch is under discussion that will change this behavior such that the
command line -u flag takes precedence if both the -u flag and the
agentuser configuration file parameter have been set. I hope that patch
will be applied a few days from now.
Bart.
More information about the Pkg-net-snmp-devel
mailing list