[Pkg-net-snmp-devel] Bug#794647: Unsane user management

Vincent Bernat bernat at debian.org
Wed Aug 5 10:40:08 UTC 2015 

Package: snmpd
Version: 5.7.3+dfsg-1
Severity: normal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi!

After spotting bug #794641, I did have a quick look at snmpd postinst
and all the hops to create the user seems to be "unsane". If I have an
snmp user in my LDAP for my collaborator Sean Map, snmpd will just
start happily running with the ID of this user (but bug #794641 would
say this is not the case, but from the code, I would believe this is
the intended effect).

The "right" way to create a user and a group is to just use

adduser --quiet --system --group --home $SNMPDIR --disabled-password --disabled-login snmp

The use of --disabled-password --disabled-login could be debated (as
far as I know, snmpd doesn't rely on a cronjob or something like that,
so /bin/false should be just fine, but maybe not).

The point is "no if, no usermod, no fancy tests". "adduser" will do
the right thing and fails if the user already exists but doesn't have
the right properties, notably if it is not a system user.

Unfortunately, I acknowledge that "snmp" is a pretty common login that
could be found in a LDAP and this would leave users with such LDAP
without much solution than a patched package.

I would suggest to use "_snmp" or "Debian-snmp" to avoid collision. Of
course, this would add a migration step, but the amount of code should
be quite low compared to the current stuff in postinst. "deluser
- --system snmp" and "delgroup --system snmp" should be fine. However, a
safer way would be to just leave the user as is (more and more people
believe that a user shouldn't be removed automatically, even on
purge).

postrm would also be simplied to:

 deluser --quiet --system _snmp || true
 delgroup --quiet --system _snmp || true

- -- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages snmpd depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.57
ii  libc6                  2.19-19
ii  libsnmp-base           5.7.3+dfsg-1
ii  libsnmp30              5.7.3+dfsg-1
ii  lsb-base               4.1+Debian13+nmu1

snmpd recommends no packages.

Versions of packages snmpd suggests:
pn  snmptrapd  <none>

- -- Configuration Files:
/etc/snmp/snmpd.conf [Errno 13] Permission denied: u'/etc/snmp/snmpd.conf'

- -- debconf information:
  snmpd/upgradefrom521:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVwegEAAoJEJWkL+g1NSX5UM0P/iAaHU5npS+V6z8QKjL36gWj
8iCDzQO+eJo3eIf/RCgDpch0LWFyPFffjj03QlW7eZ7YwdIvrUc1PLpUQ8nRzK9e
VVjOeAC7wwzBsKJ9/Sj2L217Q2syPMcvOecv/mJNV9vyfZOrT8+EbehemydPpnOR
vZW/+P1eMGZJOctGM29Up9UgtDidyHY2aflqN3rw4eG7/K4aN+8QAWxqhS8SUBhP
PcX9HdwW+mcn2XW+7C6qdJ5yU3t7dfgti9KhyiPERRjKvABzcCYJs3DXQAe7ruX4
BT0VyziB5kCHSqKdFlxAAm33JC7UGee1WbPkDqy2evDq/5a6arL8NZda1VgvkLK6
zqZfjFlGk5fIqweINx77Z3UqxGLh+enrxaEzGebHv9d0iXtNfGisCB9gcLVwd8i4
xK4L115xbl7T2lfKb2g6OoLoOhxLxYHTO1h+a/l9m6dNBmoAlIAHR/BVbuNVygqC
+d9RQMW7ntgTu5wpnmOGgxukW7dDIZjTKOZc0qrKMsiC3AGvM9l236Ryb4nia/q2
aIsR+KUfDoxPwUxj/VsZh6B9TUpiWFIurHTwdEfaYGlLgynbx2nOM96mhA+wXsw/
ZgOYSAz3+f/AGh/nh94mQET7shlO8isFqaQChiYcrx5RkOhdjBRuFHRWFMG3cVAc
lzV0PSWXlYnbjfeWOPpR
=IJyL
-----END PGP SIGNATURE-----

More information about the Pkg-net-snmp-devel mailing list