Date: Wed, 30 Apr 2014 20:20:54 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: d@delphij.net, Corey Smith <corsmith@gmail.com>, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:07.devfs Message-ID: <53614D16.9060206@FreeBSD.org> In-Reply-To: <536147DE.5030703@delphij.net> References: <CAHQQXOM_OBzsiLLxtUTFY1KQNAftz-GRQv3tV6zD3iENt9%2Bjcg@mail.gmail.com> <536147DE.5030703@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --U7AJBnfrU8sAF85njGGrrpQHmJeiXM0bR Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 30/04/2014 19:58, Xin Li wrote: > On 04/30/14 11:51, Corey Smith wrote: >>> It would be interesting to find out if we could teach net-snmpd >>> to use alternative methods to access data it needs >=20 >> It is not necessary if you build net-mgmt/net-snmp with the >> UNPRIVILEGED knob set. >=20 > Will there be any lost functionality with that knob set? (I don't use > net-snmp myself) If there is no lost functional, I think it's > sensible to hard wire that option -- giving access to /dev/[k]mem > makes me feel quite nervous, especially for network facing daemons... Yeah. net-snmp is not something to expose to the internet in general. Private networks only is my rule. You can start snmpd with the '-r' flag which means it will at least run without needing access to /dev/mem or anything else privileged, but at the cost of reduced functionality. For instance the 'proc foo' test to check on the presence of a foo process doesn't work. Quite why that should need rootly privilege I do not know: it's effectively the same as grepping the output of 'ps -acx'. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --U7AJBnfrU8sAF85njGGrrpQHmJeiXM0bR Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJTYU0eXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATKEYQAJCuf1vmuAyY5ffMhFx5zn9R pS0mAKwYGMMfWpHGdFIWTIw/fCbEGAGy3IcrAixS77K3i8p7ipWUXik7KAYDsxB3 pDaHG2mxpYDFawM5A82capwWB3+rPr0M9F29LbD3FxKmmk7/CYnmd+/iGQebFLHb 3AooqjuFSYe4THb4NVpKghMXHi1ERmb5eyGJ8IDcdxsh36TeOMK7tz/S1lTA1MS0 yCgLqFqqaNi1GzvUDzTSwsikDzIMgdyoJaGpT8n708LeqCJ1ZoWYE2r3689s+le1 duX8Oql8nDLKu5rvpW5LNJpEkURn94FUiXuruTiY3UOJ9smZ+QyQa43D6c5z01TO /wlhdJHAYrV9Z4y26dTWmJ6Hzkjaz4hD0EiD7m7RgtDJ0wDiiuK4DJ+TgZaJnJL5 BGUAW3AEwUO9ErcE8Z22Ieoi7EkIkwn4nH4WkvO8LKW6B4PDkD8bVzqQdQLh15ZA cRr5BjqD1ugbZ/n71ONY9yFpx4KpohdQASLjobzlX/ss9Mh1goTlxTyGblS6PThE jRfJfjodIM6DlaqYCzhZtka5J79WquLEp7PGHkGdSIbuef47pGhmH2IC0SNAh4HL vuyIk00d6bbEQY+UI//oIvjxhN+hJhLvEZ0Gv5EyH4L76Mgov3JsWq7dqktiYRPe 4hextjlBRPh1ynqKYNor =pCZE -----END PGP SIGNATURE----- --U7AJBnfrU8sAF85njGGrrpQHmJeiXM0bR--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53614D16.9060206>