Re: Help with vacm access mask issue

Fatima Peter Mon, 22 Mar 2010 08:25:01 -0700

Hi Robert,
  Find below snmpd.conf file followed by results of my test:
"
####################################################################
# First, map the community name (COMMUNITY) into a security name
# (local and mynetwork, depending on where the request is coming
# from):
####################################################################


#       sec.name  source          community
com2sec test1     10.10.0.0/16    global

rocommunity global

####################################################################
# Second, map the security names into group names:
####################################################################

#               sec.model  sec.name
group test1_grp     v1        test1
group test1_grp     v2c       test1

informsink 10.10.16.147

####################################################################
# Third, create a view for us to let the groups have rights to:
####################################################################

#           incl/excl subtree                              mask

# Enable a case one by one and test it
# This is for case A in the example
# (A) subtree: 1.3.6.1.2.1 ( mask: 1 1 1 1 1 1)
#view test1_v  included      1.3.6.1.2.1         0xff

# This is for case B in the example
# (B) subtree: 1.3.6.1.2.1.1.1 (mask:  1 1 1)
#view test1_v  included      1.3.6.1.2.1.1.1     0xe0

# This is for case C in the example
# (C) subtree: 1.3.6.1.2.1.2 (mask: none)
# view test1_v  included      1.3.6.1.2.1.2       0

# This is for case D in the example
# (D) subtree: 1.3.6.1.2.1.1 (mask: 1 1 0 1 0 1 1)
# view test1_v  included      1.3.6.1.2.1.1       0xd6

# This is for case E in the example
# (E) subtree: 1.3.6.1.2.1.2 (mask: 1 1 0 1 0)
# view test1_v  included      1.3.6.1.2.1.2       0xd0

# This is for case F in the example
# (F) subtree: 1.3.6.1.2.1 (mask: 1 1 0 1 0 1)
view test1_v  included      1.3.6.1.2.1         0xd4

####################################################################
# Finally, grant the groups access to their views:
####################################################################

#                context sec.model sec.level    match  read     write  notif
access test1_grp ""      any       noauth       exact  test1_v  none   none
"
Test Results:
"
After each snmpd.conf change, kill snmpd and start snmpd like below:
sudo /usr/local/sbin/snmpd -Lsd -Dsnmpd/main -a -Lf /var/log/snmpd1.log -c
/etc/snmp/snmpd.conf

# (A) subtree: 1.3.6.1.2.1 ( mask: 1 1 1 1 1 1)
view test1_v  included      1.3.6.1.2.1         0xff
walk of 1.3.6.1.2.1: 7821 entries, sysDescr.0 to
NOTIFICATION-LOG-MIB::nlmLogDateAndTime

# (B) subtree: 1.3.6.1.2.1.1.1 (mask:  1 1 1)
view test1_v  included      1.3.6.1.2.1.1.1     0xe0
walk of 1.3.6.1.2.1: 7807 entries, sysDescr.0,
NOTIFICATION-LOG-MIB::nlmLogDateAndTime

# (C) subtree: 1.3.6.1.2.1.2 (mask: none)
view test1_v  included      1.3.6.1.2.1.2       0
walk of 1.3.6.1.2.1: 7777 entries, sysDescr.0 to
NOTIFICATION-LOG-MIB::nlmLogDateAndTime

# (D) subtree: 1.3.6.1.2.1.1 (mask: 1 1 0 1 0 1 1)
view test1_v  included      1.3.6.1.2.1.1       0xd6
walk of 1.3.6.1.2.1: 7791 entries, sysDescr.0,
NOTIFICATION-LOG-MIB::nlmLogDateAndTime

# (E) subtree: 1.3.6.1.2.1.2 (mask: 1 1 0 1 0)
view test1_v  included      1.3.6.1.2.1.2       0xd0
walk of 1.3.6.1.2.1: 7791 entries, sysDescr.0,
NOTIFICATION-LOG-MIB::nlmLogDateAndTime

# (F) subtree: 1.3.6.1.2.1 (mask: 1 1 0 1 0 1)
view test1_v  included      1.3.6.1.2.1         0xd4
walk of 1.3.6.1.2.1: 7788 entries, sysDescr.0,
NOTIFICATION-LOG-MIB::nlmLogDateAndTime

"
I have done similar test on net-snmp mib with results that don't look
consistent to me.

Thanks in advance,
Fatima

On Mon, Mar 22, 2010 at 6:28 AM, Robert Story <[email protected]> wrote:

> On Sun, 21 Mar 2010 19:06:52 -0700 Fatima wrote:
> FP> Hi,
> FP>    We are using net-snmp version 5.5 and we have run into the vacm
> FP> mask issue. We followed the example given in
> FP> http://www.insanum.com/docs/vacm.html, namely:
> FP>
> FP> (A) subtree: 1.3.6.1.2.1
> FP>         mask: 1 1 1 1 1 1
> FP>  (B) subtree: 1.3.6.1.2.1.1.1
> FP>         mask: 1 1 1
> FP>  (C) subtree: 1.3.6.1.2.1.2
> FP>         mask: none
> FP>  (D) subtree: 1.3.6.1.2.1.1
> FP>         mask: 1 1 0 1 0 1 1
> FP>  (E) subtree: 1.3.6.1.2.1.2
> FP>         mask: 1 1 0 1 0
> FP>
> FP> But for case C above, the access is possible for the entire subtree
> FP> .1.3.6.1.2.1. This is net-snmp 5.5 running on Redhat linux.
>
> We need to see your snmpd.conf to see how these views are used.
>

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Net-snmp-coders mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Re: Help with vacm access mask issue

Reply via email to