On Thu, 2005-12-08 at 23:00 -0800, Wes Hardaker wrote: > your new [directive] doesn't > really let people understand the ramifications of what accepting all > traps means.
That's important, certainly. But I'm uncertain how much information it's possible to convey within the name of a configuration token. That sort of detail really belongs in the documentation, IMO - i.e. the man page entry for 'snmptrapd.conf'. Which, by a stunning coincidence, is exactly what I'll be working on this weekend :-) > How about "acceptUnauthorizedNotifications" or something a > bit more blatant that what they're doing may allow their machine > to be taken over if they're also using traphandle scripts. Ummm... If I'm going to be writing this documentation, maybe it would be helpful if *I* were a little clearer about the dangers. Perhaps you could say something more about how a machine could be "taken over" from running a traphandle script with an unknown community string or user name? Because I just don't see it, ATM. As I understand it, the traphandler will be invoked using the same user credentials as the running snmptrapd process, and won't depend on the user/community of the incoming trap. Indeed, I didn't think that this user/community information was even *passed* to the trap handler (though I could be wrong there). Talking about a system being "taken over" feels suspiciously like scare tactics to me. I'm quite happy to accept that it's a real danger, but would appreciate a little more detail about exactly what is (and isn't) vulnerable. Dave ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Net-snmp-coders mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
