Running the Solaris SNMP daemon as an unprivileged user

During much of my IT career, I have needed to support SNMP in one form or another. Typically the companies I have worked for deploy an SNMP agent to each server, and a network management station periodically polls this agent to retrieve health information. Most of the SNMP daemons I have worked with run as the user root by default, which opens a big gaping whole in system security. The Solaris SNMP daemon is no different in this respect, though you can configure it to run as a non-privileged user. To do this, you can add the “agentuser” directive and the name of an unprivileged user to the snmpd.conf configuration:

$ grep agentuser /etc/sma/snmp/snmpd.conf
agentuser snmp

This directive will cause the daemon change it’s effective user id to the user snmp once it binds to UDP port 161. If you want to take this one step further, you can follow the directions in the Limiting Service Privileges in the SolarisTM 10 Operating System to alleviate the need to use root altogether.

2 thoughts on “Running the Solaris SNMP daemon as an unprivileged user”

  1. Hi,

    There are probably some modules that will cease working when you do that, no? I mean, in order to probe the kernel
    for parameters and statistics the agent can’t help but be root.
    Perhaps it would be more useful to have the agent run as nobody and then have agentx subagents running as root connect to it. This would provide some level of encapsulation, but it would not shield against all possible attack vectors as the request eventually ends up in the subagent (albeit processed). But at this point it is probably pointless to discuss it as there are nearly too few subagents with real usefulness around.
    I think that since SNMP is not really a public service, one should always use the VACM mechanism to limit access as much as possible. Using SNMPv3 would probably help too.

    Best Regards,
    Athanasios

  2. Hi Athanasios,

    Anything that would need to write to an object would defintely fail, but reading objects (which is what most people seem to use SNMP for) should work since most metrics can be viewed by non-privileged users (this is definitely the case with the Solaris SNMP daemon, since it uses kstat). If you can think of specific cases were this wouldn’t work, please let me know.

    Thanks,
    – Ryan

Leave a Reply

Your email address will not be published. Required fields are marked *