Discussion:
net-snmpd extend and doas : a tty is required
(too old to reply)
Joel Carnat
2018-04-12 14:23:29 UTC
Permalink
Raw Message
Hi,

I want net-snmpd to run a script via the extend directive.
This script has to run a command using doas to get temporary root
permission.

The script is run on snmpcmd call but the doas command returns:
doas: a tty is required

Is there a way to run doas from net-snmpd ?
I already have doas running from collectd-exec without issues.

Thanks.

# More infos on configuration and commands

# grep extend /etc/snmp/snmpd.conf
extend test /home/scripts/test.sh

# grep snmpd /etc/doas.conf
permit nopass _snmpd as root

# userinfo _netsnmp
login _netsnmp
passwd *
uid 760
groups _netsnmp
change NEVER
class daemon
gecos Net-SNMP user
dir /nonexistent
shell /sbin/nologin
expire NEVER

# cat /home/scripts/test.sh
#!/usr/bin/env ksh
PATH="/bin:/sbin:/usr/bin:/usr/sbin"
echo ligne 1
echo ligne 2
doas -u root ls /bsd
exit 0

# snmpwalk -v 2c -c secret 10.0.0.7
.1.3.6.1.4.1.8072.1.3.2.4.1.2.4.116.101.115.116
NET-SNMP-EXTEND-MIB::nsExtendOutLine."test".1 = STRING: ligne 1
NET-SNMP-EXTEND-MIB::nsExtendOutLine."test".2 = STRING: ligne 2
NET-SNMP-EXTEND-MIB::nsExtendOutLine."test".3 = STRING: doas: a tty is
required
Ted Unangst
2018-04-12 16:09:11 UTC
Permalink
Raw Message
Post by Joel Carnat
Hi,
I want net-snmpd to run a script via the extend directive.
This script has to run a command using doas to get temporary root
permission.
doas: a tty is required
Is there a way to run doas from net-snmpd ?
I already have doas running from collectd-exec without issues.
it needs a tty to ask for the password. you can use the nopasswd option, or
something like expect to provide a tty.
Stuart Henderson
2018-04-12 19:10:10 UTC
Permalink
Raw Message
Post by Joel Carnat
Hi,
I want net-snmpd to run a script via the extend directive.
This script has to run a command using doas to get temporary root
permission.
doas: a tty is required
Is there a way to run doas from net-snmpd ?
I already have doas running from collectd-exec without issues.
Thanks.
# More infos on configuration and commands
# grep extend /etc/snmp/snmpd.conf
extend test /home/scripts/test.sh
# grep snmpd /etc/doas.conf
permit nopass _snmpd as root
Net-SNMP runs as _netsnmp, but you're giving nopass access to _snmpd
(base snmpd's uid, which doesn't execute anything anyway).
Joel Carnat
2018-04-12 21:13:46 UTC
Permalink
Raw Message
Post by Stuart Henderson
Post by Joel Carnat
Hi,
I want net-snmpd to run a script via the extend directive.
This script has to run a command using doas to get temporary root
permission.
doas: a tty is required
Is there a way to run doas from net-snmpd ?
I already have doas running from collectd-exec without issues.
Thanks.
# More infos on configuration and commands
# grep extend /etc/snmp/snmpd.conf
extend test /home/scripts/test.sh
# grep snmpd /etc/doas.conf
permit nopass _snmpd as root
Net-SNMP runs as _netsnmp, but you're giving nopass access to _snmpd
(base snmpd's uid, which doesn't execute anything anyway).
Of course

Using "permit nopass _netsnmp as root" makes it run as expected.

Thanks a lot!

Loading...