Running the Solaris SNMP daemon as an unprivileged user

During much of my IT career, I have needed to support SNMP in one form or another. Typically the companies I have worked for deploy an SNMP agent to each server, and a network management station periodically polls this agent to retrieve health information. Most of the SNMP daemons I have worked with run as the user root by default, which opens a big gaping whole in system security. The Solaris SNMP daemon is no different in this respect, though you can configure it to run as a non-privileged user. To do this, you can add the “agentuser” directive and the name of an unprivileged user to the snmpd.conf configuration:

$ grep agentuser /etc/sma/snmp/snmpd.conf
agentuser snmp

This directive will cause the daemon change it’s effective user id to the user snmp once it binds to UDP port 161. If you want to take this one step further, you can follow the directions in the Limiting Service Privileges in the SolarisTM 10 Operating System to alleviate the need to use root altogether.

This article was posted by Matty on 2007-11-13 00:56:00 -0400 -0400