On 04/12/18 23:13, Joel Carnat wrote: >> Le 12 avr. 2018 à 21:10, Stuart Henderson <s...@spacehopper.org> a écrit : >> >> On 2018-04-12, Joel Carnat <j...@carnat.net <mailto:j...@carnat.net>> wrote: >>> Hi, >>> >>> I want net-snmpd to run a script via the extend directive. >>> This script has to run a command using doas to get temporary root >>> permission. >>> >>> The script is run on snmpcmd call but the doas command returns: >>> doas: a tty is required >>> >>> Is there a way to run doas from net-snmpd ? >>> I already have doas running from collectd-exec without issues. >>> >>> Thanks. >>> >>> # More infos on configuration and commands >>> >>> # grep extend /etc/snmp/snmpd.conf >>> extend test /home/scripts/test.sh >>> >>> # grep snmpd /etc/doas.conf >>> permit nopass _snmpd as root >> >> Net-SNMP runs as _netsnmp, but you're giving nopass access to _snmpd >> (base snmpd's uid, which doesn't execute anything anyway). > > Of course… > Using "permit nopass _netsnmp as root" makes it run as expected.
Please add "cmd <command> args ..." to that line to prevent more root- exposure than required. > > Thanks a lot! >