Re: net-snmpd extend and doas : a tty is required
On 04/12/18 23:13, Joel Carnat wrote: >> Le 12 avr. 2018 à 21:10, Stuart Hendersona écrit : >> >> On 2018-04-12, Joel Carnat > wrote: >>> Hi, >>> >>> I want net-snmpd to run a script via the extend directive. >>> This script has to run a command using doas to get temporary root >>> permission. >>> >>> The script is run on snmpcmd call but the doas command returns: >>> doas: a tty is required >>> >>> Is there a way to run doas from net-snmpd ? >>> I already have doas running from collectd-exec without issues. >>> >>> Thanks. >>> >>> # More infos on configuration and commands >>> >>> # grep extend /etc/snmp/snmpd.conf >>> extend test /home/scripts/test.sh >>> >>> # grep snmpd /etc/doas.conf >>> permit nopass _snmpd as root >> >> Net-SNMP runs as _netsnmp, but you're giving nopass access to _snmpd >> (base snmpd's uid, which doesn't execute anything anyway). > > Of course… > Using "permit nopass _netsnmp as root" makes it run as expected. Please add "cmd args ..." to that line to prevent more root- exposure than required. > > Thanks a lot! >
Re: net-snmpd extend and doas : a tty is required
> Le 12 avr. 2018 à 21:10, Stuart Hendersona écrit : > > On 2018-04-12, Joel Carnat > wrote: >> Hi, >> >> I want net-snmpd to run a script via the extend directive. >> This script has to run a command using doas to get temporary root >> permission. >> >> The script is run on snmpcmd call but the doas command returns: >> doas: a tty is required >> >> Is there a way to run doas from net-snmpd ? >> I already have doas running from collectd-exec without issues. >> >> Thanks. >> >> # More infos on configuration and commands >> >> # grep extend /etc/snmp/snmpd.conf >> extend test /home/scripts/test.sh >> >> # grep snmpd /etc/doas.conf >> permit nopass _snmpd as root > > Net-SNMP runs as _netsnmp, but you're giving nopass access to _snmpd > (base snmpd's uid, which doesn't execute anything anyway). Of course… Using "permit nopass _netsnmp as root" makes it run as expected. Thanks a lot! smime.p7s Description: S/MIME cryptographic signature
Re: net-snmpd extend and doas : a tty is required
On 2018-04-12, Joel Carnatwrote: > Hi, > > I want net-snmpd to run a script via the extend directive. > This script has to run a command using doas to get temporary root > permission. > > The script is run on snmpcmd call but the doas command returns: > doas: a tty is required > > Is there a way to run doas from net-snmpd ? > I already have doas running from collectd-exec without issues. > > Thanks. > > # More infos on configuration and commands > > # grep extend /etc/snmp/snmpd.conf > extend test /home/scripts/test.sh > > # grep snmpd /etc/doas.conf > permit nopass _snmpd as root Net-SNMP runs as _netsnmp, but you're giving nopass access to _snmpd (base snmpd's uid, which doesn't execute anything anyway).
Re: net-snmpd extend and doas : a tty is required
Joel Carnat wrote: > Hi, > > I want net-snmpd to run a script via the extend directive. > This script has to run a command using doas to get temporary root > permission. > > The script is run on snmpcmd call but the doas command returns: > doas: a tty is required > > Is there a way to run doas from net-snmpd ? > I already have doas running from collectd-exec without issues. it needs a tty to ask for the password. you can use the nopasswd option, or something like expect to provide a tty.
net-snmpd extend and doas : a tty is required
Hi, I want net-snmpd to run a script via the extend directive. This script has to run a command using doas to get temporary root permission. The script is run on snmpcmd call but the doas command returns: doas: a tty is required Is there a way to run doas from net-snmpd ? I already have doas running from collectd-exec without issues. Thanks. # More infos on configuration and commands # grep extend /etc/snmp/snmpd.conf extend test /home/scripts/test.sh # grep snmpd /etc/doas.conf permit nopass _snmpd as root # userinfo _netsnmp login _netsnmp passwd * uid 760 groups _netsnmp change NEVER class daemon gecos Net-SNMP user dir /nonexistent shell /sbin/nologin expire NEVER # cat /home/scripts/test.sh #!/usr/bin/env ksh PATH="/bin:/sbin:/usr/bin:/usr/sbin" echo ligne 1 echo ligne 2 doas -u root ls /bsd exit 0 # snmpwalk -v 2c -c secret 10.0.0.7 .1.3.6.1.4.1.8072.1.3.2.4.1.2.4.116.101.115.116 NET-SNMP-EXTEND-MIB::nsExtendOutLine."test".1 = STRING: ligne 1 NET-SNMP-EXTEND-MIB::nsExtendOutLine."test".2 = STRING: ligne 2 NET-SNMP-EXTEND-MIB::nsExtendOutLine."test".3 = STRING: doas: a tty is required