Re: net-snmpd extend and doas : a tty is required

2018-04-13 Thread Martijn van Duren 
On 04/12/18 23:13, Joel Carnat wrote:
>> Le 12 avr. 2018 à 21:10, Stuart Henderson  a écrit :
>>
>> On 2018-04-12, Joel Carnat > wrote:
>>> Hi,
>>>
>>> I want net-snmpd to run a script via the extend directive.
>>> This script has to run a command using doas to get temporary root 
>>> permission.
>>>
>>> The script is run on snmpcmd call but the doas command returns:
>>> doas: a tty is required
>>>
>>> Is there a way to run doas from net-snmpd ?
>>> I already have doas running from collectd-exec without issues.
>>>
>>> Thanks.
>>>
>>> # More infos on configuration and commands
>>>
>>> # grep extend /etc/snmp/snmpd.conf
>>> extend test /home/scripts/test.sh
>>>
>>> # grep snmpd /etc/doas.conf
>>> permit nopass _snmpd as root
>>
>> Net-SNMP runs as _netsnmp, but you're giving nopass access to _snmpd
>> (base snmpd's uid, which doesn't execute anything anyway).
> 
> Of course…
> Using "permit nopass _netsnmp as root" makes it run as expected.

Please add "cmd  args ..." to that line to prevent more root-
exposure than required.
> 
> Thanks a lot!
>

Re: net-snmpd extend and doas : a tty is required

2018-04-12 Thread Joel Carnat 
> Le 12 avr. 2018 à 21:10, Stuart Henderson  a écrit :
> 
> On 2018-04-12, Joel Carnat > wrote:
>> Hi,
>> 
>> I want net-snmpd to run a script via the extend directive.
>> This script has to run a command using doas to get temporary root 
>> permission.
>> 
>> The script is run on snmpcmd call but the doas command returns:
>> doas: a tty is required
>> 
>> Is there a way to run doas from net-snmpd ?
>> I already have doas running from collectd-exec without issues.
>> 
>> Thanks.
>> 
>> # More infos on configuration and commands
>> 
>> # grep extend /etc/snmp/snmpd.conf
>> extend test /home/scripts/test.sh
>> 
>> # grep snmpd /etc/doas.conf
>> permit nopass _snmpd as root
> 
> Net-SNMP runs as _netsnmp, but you're giving nopass access to _snmpd
> (base snmpd's uid, which doesn't execute anything anyway).

Of course…
Using "permit nopass _netsnmp as root" makes it run as expected.

Thanks a lot!


smime.p7s
Description: S/MIME cryptographic signature

Re: net-snmpd extend and doas : a tty is required

2018-04-12 Thread Stuart Henderson 
On 2018-04-12, Joel Carnat  wrote:
> Hi,
>
> I want net-snmpd to run a script via the extend directive.
> This script has to run a command using doas to get temporary root 
> permission.
>
> The script is run on snmpcmd call but the doas command returns:
> doas: a tty is required
>
> Is there a way to run doas from net-snmpd ?
> I already have doas running from collectd-exec without issues.
>
> Thanks.
>
> # More infos on configuration and commands
>
> # grep extend /etc/snmp/snmpd.conf
> extend test /home/scripts/test.sh
>
> # grep snmpd /etc/doas.conf
> permit nopass _snmpd as root

Net-SNMP runs as _netsnmp, but you're giving nopass access to _snmpd
(base snmpd's uid, which doesn't execute anything anyway).

Re: net-snmpd extend and doas : a tty is required

2018-04-12 Thread Ted Unangst 
Joel Carnat wrote:
> Hi,
> 
> I want net-snmpd to run a script via the extend directive.
> This script has to run a command using doas to get temporary root 
> permission.
> 
> The script is run on snmpcmd call but the doas command returns:
> doas: a tty is required
> 
> Is there a way to run doas from net-snmpd ?
> I already have doas running from collectd-exec without issues.

it needs a tty to ask for the password. you can use the nopasswd option, or
something like expect to provide a tty.

net-snmpd extend and doas : a tty is required

2018-04-12 Thread Joel Carnat 

Hi,

I want net-snmpd to run a script via the extend directive.
This script has to run a command using doas to get temporary root 
permission.


The script is run on snmpcmd call but the doas command returns:
doas: a tty is required

Is there a way to run doas from net-snmpd ?
I already have doas running from collectd-exec without issues.

Thanks.

# More infos on configuration and commands

# grep extend /etc/snmp/snmpd.conf
extend test /home/scripts/test.sh

# grep snmpd /etc/doas.conf
permit nopass _snmpd as root

# userinfo _netsnmp
login   _netsnmp
passwd  *
uid 760
groups  _netsnmp
change  NEVER
class   daemon
gecos   Net-SNMP user
dir /nonexistent
shell   /sbin/nologin
expire  NEVER

# cat /home/scripts/test.sh
#!/usr/bin/env ksh
PATH="/bin:/sbin:/usr/bin:/usr/sbin"
echo ligne 1
echo ligne 2
doas -u root ls /bsd
exit 0

# snmpwalk -v 2c -c secret 10.0.0.7 
.1.3.6.1.4.1.8072.1.3.2.4.1.2.4.116.101.115.116

NET-SNMP-EXTEND-MIB::nsExtendOutLine."test".1 = STRING: ligne 1
NET-SNMP-EXTEND-MIB::nsExtendOutLine."test".2 = STRING: ligne 2
NET-SNMP-EXTEND-MIB::nsExtendOutLine."test".3 = STRING: doas: a tty is 
required