Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 02 May 2014 13:58:16 +0200
From:      Willem Jan Withagen <wjw@digiware.nl>
To:        =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= <des@des.no>,  Matthew Seaman <matthew@FreeBSD.org>
Cc:        Corey Smith <corsmith@gmail.com>, freebsd-security@freebsd.org, d@delphij.net
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-14:07.devfs
Message-ID:  <53638858.2010109@digiware.nl>
In-Reply-To: <86tx98ijls.fsf@nine.des.no>
References:  <CAHQQXOM_OBzsiLLxtUTFY1KQNAftz-GRQv3tV6zD3iENt9%2Bjcg@mail.gmail.com> <536147DE.5030703@delphij.net> <53614D16.9060206@FreeBSD.org> <86tx98ijls.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 2-5-2014 12:02, Dag-Erling Smørgrav wrote:
> Matthew Seaman <matthew@FreeBSD.org> writes:
>> You can start snmpd with the '-r' flag which means it will at least run
>> without needing access to /dev/mem or anything else privileged, but at
>> the cost of reduced functionality.  For instance the 'proc foo' test to
>> check on the presence of a foo process doesn't work.  Quite why that
>> should need rootly privilege I do not know: it's effectively the same as
>> grepping the output of 'ps -acx'.
> 
> It probably uses libkvm instead of the newer libprocstat, which does not
> require access to /dev/mem.  The only reason you'd ever want to use
> libkvm is if you want to be able to operate on kernel dumps.

Opening and ripping all kvm out net-snmp is going to be a nice
challenge... I've fixed things a few times in the past, but the code is
loaded with #ifdef <OS1234> stuff because it needs to cater to all
flavors of OSes in wants to be available on.

But even then, reducing its privileges after starting will also hamper
any perl-plugin that requires anything more than just the basic rights.
So you'd be running into access problems in other places as well.
Sometimes you can fix those with either changed access rights or sudo.
But I would not be surprised if not everything is going to be smooth
sailing....

--WjW

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53638858.2010109>