Vendor fix: make the default read and write communities NULL. This

basically disables any access unless other strings are set in the config file. Note, that there is no way to set the communities back to NULL once they're set to something not NULL.
svn path=/vendor/bsnmp/dist/; revision=154180
2006-01-10 11:49:26 +00:00 · 2006-01-10 11:49:26 +00:00 · d4199d75a1 · 2020-12-20 02:59:44 +00:00
commit d4199d75a1
parent e9d4cb69e2
2 changed files with 17 additions and 3 deletions
--- a/contrib/bsnmp/snmpd/main.c
+++ b/contrib/bsnmp/snmpd/main.c
@ -1462,8 +1462,8 @@ main(int argc, char *argv[])
 	/*
 	 * Get standard communities
 	 */
-	(void)comm_define(1, "SNMP read", NULL, "public");
-	(void)comm_define(2, "SNMP write", NULL, "public");
+	(void)comm_define(1, "SNMP read", NULL, NULL);
+	(void)comm_define(2, "SNMP write", NULL, NULL);
 	community = COMM_INITIALIZE;

 	trap_reqid = reqid_allocate(512, NULL);
--- a/contrib/bsnmp/snmpd/snmpd.config
+++ b/contrib/bsnmp/snmpd/snmpd.config
@ -42,6 +42,8 @@ traphost := noc.bar.com
 trapport := 162

 read := "public"
+# Uncomment the line below that sets the community string
+# to enable write access.
 write := "geheim"
 trap := "mytrap"

@ -52,8 +54,20 @@ trap := "mytrap"
 begemotSnmpdDebugDumpPdus	= 2
 begemotSnmpdDebugSyslogPri	= 7

+#
+# Set the read and write communities.
+#
+# The default value of the community strings is NULL (note, that this is
+# different from the empty string). This disables both read and write access.
+# To enable read access only the read community string must be set. Setting
+# the write community string enables both read and write access with that
+# string.
+#
+# Be sure to understand the security implications of SNMPv2 - the community
+# strings are readable on the wire!
+#
 begemotSnmpdCommunityString.0.1	= $(read)
-begemotSnmpdCommunityString.0.2	= $(write)
+# begemotSnmpdCommunityString.0.2	= $(write)
 begemotSnmpdCommunityDisable	= 1

 # open standard SNMP ports