Running the Solaris SNMP daemon as an unprivileged user
During much of my IT career, I have needed to support SNMP in one form or another. Typically the companies I have worked for deploy an SNMP agent to each server, and a network management station periodically polls this agent to retrieve health information. Most of the SNMP daemons I have worked with run as the user root by default, which opens a big gaping whole in system security. The Solaris SNMP daemon is no different in this respect, though you can configure it to run as a non-privileged user. To do this, you can add the “agentuser” directive and the name of an unprivileged user to the snmpd.conf configuration:
$ grep agentuser /etc/sma/snmp/snmpd.conf
agentuser snmp
This directive will cause the daemon change it’s effective user id to the user snmp once it binds to UDP port 161. If you want to take this one step further, you can follow the directions in the Limiting Service Privileges in the SolarisTM 10 Operating System to alleviate the need to use root altogether.
Athanasios Douitsis on November 17th, 2007
Hi,
There are probably some modules that will cease working when you do that, no? I mean, in order to probe the kernel
for parameters and statistics the agent can’t help but be root.
Perhaps it would be more useful to have the agent run as nobody and then have agentx subagents running as root connect to it. This would provide some level of encapsulation, but it would not shield against all possible attack vectors as the request eventually ends up in the subagent (albeit processed). But at this point it is probably pointless to discuss it as there are nearly too few subagents with real usefulness around.
I think that since SNMP is not really a public service, one should always use the VACM mechanism to limit access as much as possible. Using SNMPv3 would probably help too.
Best Regards,
Athanasios