閱讀文章 - 看板 FB_security

發信人matthew@FreeBSD.org (Matthew Seaman),

看板FB_security

標題Re: FreeBSD Security Advisory FreeBSD-SA-14:07.devfs

發信站NCTU CS FreeBSD Server (Thu May 1 04:20:54 2014)

轉信站ptt!csnews.cs.nctu!news.cednctu!FreeBSD.cs.nctu!.POSTED!freebsd.org!ow

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --U7AJBnfrU8sAF85njGGrrpQHmJeiXM0bR Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 30/04/2014 19:58, Xin Li wrote: > On 04/30/14 11:51, Corey Smith wrote: >>> It would be interesting to find out if we could teach net-snmpd >>> to use alternative methods to access data it needs >=20 >> It is not necessary if you build net-mgmt/net-snmp with the >> UNPRIVILEGED knob set. >=20 > Will there be any lost functionality with that knob set? (I don't use > net-snmp myself) If there is no lost functional, I think it's > sensible to hard wire that option -- giving access to /dev/[k]mem > makes me feel quite nervous, especially for network facing daemons... Yeah. net-snmp is not something to expose to the internet in general. Private networks only is my rule. You can start snmpd with the '-r' flag which means it will at least run without needing access to /dev/mem or anything else privileged, but at the cost of reduced functionality. For instance the 'proc foo' test to check on the presence of a foo process doesn't work. Quite why that should need rootly privilege I do not know: it's effectively the same as grepping the output of 'ps -acx'. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --U7AJBnfrU8sAF85njGGrrpQHmJeiXM0bR Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJTYU0eXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATKEYQAJCuf1vmuAyY5ffMhFx5zn9R pS0mAKwYGMMfWpHGdFIWTIw/fCbEGAGy3IcrAixS77K3i8p7ipWUXik7KAYDsxB3 pDaHG2mxpYDFawM5A82capwWB3+rPr0M9F29LbD3FxKmmk7/CYnmd+/iGQebFLHb 3AooqjuFSYe4THb4NVpKghMXHi1ERmb5eyGJ8IDcdxsh36TeOMK7tz/S1lTA1MS0 yCgLqFqqaNi1GzvUDzTSwsikDzIMgdyoJaGpT8n708LeqCJ1ZoWYE2r3689s+le1 duX8Oql8nDLKu5rvpW5LNJpEkURn94FUiXuruTiY3UOJ9smZ+QyQa43D6c5z01TO /wlhdJHAYrV9Z4y26dTWmJ6Hzkjaz4hD0EiD7m7RgtDJ0wDiiuK4DJ+TgZaJnJL5 BGUAW3AEwUO9ErcE8Z22Ieoi7EkIkwn4nH4WkvO8LKW6B4PDkD8bVzqQdQLh15ZA cRr5BjqD1ugbZ/n71ONY9yFpx4KpohdQASLjobzlX/ss9Mh1goTlxTyGblS6PThE jRfJfjodIM6DlaqYCzhZtka5J79WquLEp7PGHkGdSIbuef47pGhmH2IC0SNAh4HL vuyIk00d6bbEQY+UI//oIvjxhN+hJhLvEZ0Gv5EyH4L76Mgov3JsWq7dqktiYRPe 4hextjlBRPh1ynqKYNor =pCZE -----END PGP SIGNATURE----- --U7AJBnfrU8sAF85njGGrrpQHmJeiXM0bR--