blog:grsec_snmpd

Grsec & snmpd

With a grsec-patched kernel, only members of the specific group #112 are allowed to access /proc, but having the snmp user in grsec group is not enough, because snmpd doesn't set groups the user belongs to properly. You can use the -g flag, but it will only change the owner group, and still won't set groups to snmpd.

For instance, without setting the -g flag:

Gid:    0       0       0       0   
Groups: 0

With -g 112:

Uid:    118    118    118    118 
Gid:    112    112    112    112 
Groups: 112 

I wrote this quick&dirty little patch, to enable correct group attribution:

--- snmpd-orig/agent/snmpd.c        2007-07-19 23:01:43.000000000 +0200
+++ snmpd-patch/agent/snmpd.c       2008-11-17 15:02:04.000000000 +0100
@@ -960,7 +960,7 @@
         DEBUGMSGTL(("snmpd/main", "Changing gid to %d.\n", gid));
         if (setgid(gid) == -1
#ifdef HAVE_SETGROUPS
-            || setgroups(1, (gid_t *)&gid) == -1
+            || initgroups(getpwuid(uid)->pw_name, gid) == -1
#endif
             ) {
             snmp_log_perror("setgid failed");
@@ -970,6 +970,14 @@
             }
         }
     }
+    else if(initgroups(getpwuid(uid)->pw_name, getpwuid(uid)->pw_gid) == -1)
+    {
+      snmp_log_perror("initgroups failed");
+      if (!netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID,
+    NETSNMP_DS_AGENT_NO_ROOT_ACCESS)) {
+          exit(1);
+      }
+    }
#endif
#ifdef HAVE_SETUID
     if ((uid = netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,

Now I do have:

Uid:    118    118    118    118
Gid:    112    112    112    112
Groups: 112 65534
  • blog/grsec_snmpd.txt
  • Last modified: 2015/05/18 17:18
  • by Benjamin Collet