artulab
projects / openbsd / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 0bee16b) | patch
Add privilege separation to snmpd.
authormartijn <martijn@openbsd.org>
Thu, 1 Sep 2022 14:34:17 +0000 (14:34 +0000)
committermartijn <martijn@openbsd.org>
Thu, 1 Sep 2022 14:34:17 +0000 (14:34 +0000)
commit1985d3eb5f6acde8e42cb4da09957b79eaa3d1e3
treec2537a8d20bee2398455102098ad74e495543e49tree | snapshot
parent0bee16bd74c33631f745dc53e0c04300d8fb6e11commit | diff
Add privilege separation to snmpd.

This uses the just imported snmpd_metrics as a new (agentx-based) backend.
Snmpd(8) executes all files in /usr/libexec/snmpd and treats regions
registered by these binaries as authorative, so that no other agentx
backends can overwrite them. The snmpe process is now pledged
"stdio recvfd inet unix".

This removes quite a few entries from the sysORTable, but the current
entries are non-compliant anyway and should be completely revisisted at a
later time.

Reduces the time for a full walk by about a factor of 4, bringing us close
to the original speed before application.c was introduced.

General design discussed with claudio@
Tested by and OK sthen
Release build test and OK tb@
usr.sbin/snmpd/application.h diff | blob | history
usr.sbin/snmpd/application_agentx.c diff | blob | history
usr.sbin/snmpd/mib.c diff | blob | history
usr.sbin/snmpd/snmpd.c diff | blob | history
usr.sbin/snmpd/snmpd.h diff | blob | history
usr.sbin/snmpd/snmpe.c diff | blob | history
OpenBSD src
by Ahmet Artu Yildirim