403 lines
15 KiB
Diff
403 lines
15 KiB
Diff
commit d047b54f874f392f97ffce8d51f49729e1c78225
|
|
Author: Alexander Bergmann <abergmann@suse.com>
|
|
Date: Fri Mar 10 15:23:35 2023 +0100
|
|
|
|
Create sub-function to parse source address and network mask
|
|
|
|
Function netsnmp_udp_resolve_source was introduced to handle the source
|
|
address and network mask parsing into in_addr structures.
|
|
|
|
diff --git a/snmplib/transports/snmpUDPDomain.c b/snmplib/transports/snmpUDPDomain.c
|
|
index 2724cf2191..3ad33d4bc5 100644
|
|
--- a/snmplib/transports/snmpUDPDomain.c
|
|
+++ b/snmplib/transports/snmpUDPDomain.c
|
|
@@ -98,6 +98,58 @@ netsnmp_udp_fmtaddr(netsnmp_transport *t, const void *data, int len)
|
|
return netsnmp_ipv4_fmtaddr("UDP", t, data, len);
|
|
}
|
|
|
|
+static int
|
|
+netsnmp_udp_resolve_source(char *source, struct in_addr *network,
|
|
+ struct in_addr *mask)
|
|
+{
|
|
+ /* Split the source/netmask parts */
|
|
+ char *strmask = strchr(source, '/');
|
|
+ if (strmask != NULL)
|
|
+ /* Mask given. */
|
|
+ *strmask++ = '\0';
|
|
+
|
|
+ /* Try interpreting as a dotted quad. */
|
|
+ if (inet_pton(AF_INET, source, network) == 0) {
|
|
+ /* Nope, wasn't a dotted quad. Must be a hostname. */
|
|
+ int ret = netsnmp_gethostbyname_v4(source, &(network->s_addr));
|
|
+ if (ret < 0) {
|
|
+ config_perror("cannot resolve source hostname");
|
|
+ return ret;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ /* Now work out the mask. */
|
|
+ if (strmask == NULL || *strmask == '\0') {
|
|
+ /* No mask was given. Assume /32 */
|
|
+ mask->s_addr = (in_addr_t)(~0UL);
|
|
+ } else {
|
|
+ /* Try to interpret mask as a "number of 1 bits". */
|
|
+ char* cp;
|
|
+ long maskLen = strtol(strmask, &cp, 10);
|
|
+ if (*cp == '\0') {
|
|
+ if (0 < maskLen && maskLen <= 32)
|
|
+ mask->s_addr = htonl((in_addr_t)(~0UL << (32 - maskLen)));
|
|
+ else if (maskLen == 0)
|
|
+ mask->s_addr = 0;
|
|
+ else {
|
|
+ config_perror("bad mask length");
|
|
+ return -1;
|
|
+ }
|
|
+ }
|
|
+ /* Try to interpret mask as a dotted quad. */
|
|
+ else if (inet_pton(AF_INET, strmask, mask) == 0) {
|
|
+ config_perror("bad mask");
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ /* Check that the network and mask are consistent. */
|
|
+ if (network->s_addr & ~mask->s_addr) {
|
|
+ config_perror("source/mask mismatch");
|
|
+ return -1;
|
|
+ }
|
|
+ }
|
|
+ return 0;
|
|
+}
|
|
|
|
#if defined(HAVE_IP_PKTINFO) || (defined(HAVE_IP_RECVDSTADDR) && defined(HAVE_IP_SENDSRCADDR))
|
|
|
|
@@ -375,52 +427,10 @@ netsnmp_udp_parse_security(const char *token, char *param)
|
|
negate = 0;
|
|
sourcep = source;
|
|
}
|
|
-
|
|
- /* Split the source/netmask parts */
|
|
- strmask = strchr(sourcep, '/');
|
|
- if (strmask != NULL)
|
|
- /* Mask given. */
|
|
- *strmask++ = '\0';
|
|
-
|
|
- /* Try interpreting as a dotted quad. */
|
|
- if (inet_pton(AF_INET, sourcep, &network) == 0) {
|
|
- /* Nope, wasn't a dotted quad. Must be a hostname. */
|
|
- int ret = netsnmp_gethostbyname_v4(sourcep, &network.s_addr);
|
|
- if (ret < 0) {
|
|
- config_perror("cannot resolve IPv4 source hostname");
|
|
- return;
|
|
- }
|
|
- }
|
|
-
|
|
- /* Now work out the mask. */
|
|
- if (strmask == NULL || *strmask == '\0') {
|
|
- /* No mask was given. Assume /32 */
|
|
- mask.s_addr = (in_addr_t)(~0UL);
|
|
- } else {
|
|
- /* Try to interpret mask as a "number of 1 bits". */
|
|
- char* cp;
|
|
- long maskLen = strtol(strmask, &cp, 10);
|
|
- if (*cp == '\0') {
|
|
- if (0 < maskLen && maskLen <= 32)
|
|
- mask.s_addr = htonl((in_addr_t)(~0UL << (32 - maskLen)));
|
|
- else if (0 == maskLen)
|
|
- mask.s_addr = 0;
|
|
- else {
|
|
- config_perror("bad mask length");
|
|
- return;
|
|
- }
|
|
- }
|
|
- /* Try to interpret mask as a dotted quad. */
|
|
- else if (inet_pton(AF_INET, strmask, &mask) == 0) {
|
|
- config_perror("bad mask");
|
|
- return;
|
|
- }
|
|
-
|
|
- /* Check that the network and mask are consistent. */
|
|
- if (network.s_addr & ~mask.s_addr) {
|
|
- config_perror("source/mask mismatch");
|
|
- return;
|
|
- }
|
|
+ /* Parse source address and network mask. */
|
|
+ if(netsnmp_udp_resolve_source(sourcep, &network, &mask)) {
|
|
+ config_perror("source address/network mask parsing issue");
|
|
+ return;
|
|
}
|
|
}
|
|
|
|
commit a2559914d8d8132f155a81c0852cbbd2090d2d40
|
|
Author: Alexander Bergmann <abergmann@suse.com>
|
|
Date: Fri Mar 10 15:25:10 2023 +0100
|
|
|
|
Create sub-function to check the com2SecEntry_create return code
|
|
|
|
The return code interpretation of the netsnmp_udp_com2SecEntry_create
|
|
function is now done inside a new sub-function.
|
|
|
|
diff --git a/snmplib/transports/snmpUDPDomain.c b/snmplib/transports/snmpUDPDomain.c
|
|
index 3ad33d4bc5..5904a1b423 100644
|
|
--- a/snmplib/transports/snmpUDPDomain.c
|
|
+++ b/snmplib/transports/snmpUDPDomain.c
|
|
@@ -346,6 +346,33 @@ netsnmp_udp_com2SecEntry_create(com2SecEntry **entryp, const char *community,
|
|
return C2SE_ERR_SUCCESS;
|
|
}
|
|
|
|
+void
|
|
+netsnmp_udp_com2SecEntry_check_return_code(int rc)
|
|
+{
|
|
+ /*
|
|
+ * Check return code of the newly created com2Sec entry.
|
|
+ */
|
|
+ switch(rc) {
|
|
+ case C2SE_ERR_SUCCESS:
|
|
+ break;
|
|
+ case C2SE_ERR_CONTEXT_TOO_LONG:
|
|
+ config_perror("context name too long");
|
|
+ break;
|
|
+ case C2SE_ERR_COMMUNITY_TOO_LONG:
|
|
+ config_perror("community name too long");
|
|
+ break;
|
|
+ case C2SE_ERR_SECNAME_TOO_LONG:
|
|
+ config_perror("security name too long");
|
|
+ break;
|
|
+ case C2SE_ERR_MASK_MISMATCH:
|
|
+ config_perror("source/mask mismatch");
|
|
+ break;
|
|
+ case C2SE_ERR_MISSING_ARG:
|
|
+ default:
|
|
+ config_perror("unexpected error; could not create com2SecEntry");
|
|
+ }
|
|
+}
|
|
+
|
|
void
|
|
netsnmp_udp_parse_security(const char *token, char *param)
|
|
{
|
|
@@ -440,25 +467,7 @@ netsnmp_udp_parse_security(const char *token, char *param)
|
|
*/
|
|
rc = netsnmp_udp_com2SecEntry_create(NULL, community, secName, contextName,
|
|
&network, &mask, negate);
|
|
- switch(rc) {
|
|
- case C2SE_ERR_SUCCESS:
|
|
- break;
|
|
- case C2SE_ERR_CONTEXT_TOO_LONG:
|
|
- config_perror("context name too long");
|
|
- break;
|
|
- case C2SE_ERR_COMMUNITY_TOO_LONG:
|
|
- config_perror("community name too long");
|
|
- break;
|
|
- case C2SE_ERR_SECNAME_TOO_LONG:
|
|
- config_perror("security name too long");
|
|
- break;
|
|
- case C2SE_ERR_MASK_MISMATCH:
|
|
- config_perror("source/mask mismatch");
|
|
- break;
|
|
- case C2SE_ERR_MISSING_ARG:
|
|
- default:
|
|
- config_perror("unexpected error; could not create com2SecEntry");
|
|
- }
|
|
+ netsnmp_udp_com2SecEntry_check_return_code(rc);
|
|
}
|
|
|
|
void
|
|
commit 20e2bb7d75c391f5cfde1eb8b8676aff68f3a5f5
|
|
Author: Alexander Bergmann <abergmann@suse.com>
|
|
Date: Fri Mar 10 15:31:41 2023 +0100
|
|
|
|
Add '@' netgroup functionality
|
|
|
|
Allow access control via netgroups defined in /etc/netgroup or NIS/LDAP
|
|
via the '@' sign inside the configuration file. Same as IP addresses and
|
|
host names.
|
|
|
|
diff --git a/configure b/configure
|
|
index 575b60c4d2..82414664cf 100755
|
|
--- a/configure
|
|
+++ b/configure
|
|
@@ -31221,6 +31221,12 @@ if test "x$ac_cv_func_closedir" = xyes
|
|
then :
|
|
printf "%s\n" "#define HAVE_CLOSEDIR 1" >>confdefs.h
|
|
|
|
+fi
|
|
+ac_fn_c_check_func "$LINENO" "endnetgrent" "ac_cv_func_endnetgrent"
|
|
+if test "x$ac_cv_func_endnetgrent" = xyes
|
|
+then :
|
|
+ printf "%s\n" "#define HAVE_ENDNETGRENT 1" >>confdefs.h
|
|
+
|
|
fi
|
|
ac_fn_c_check_func "$LINENO" "fgetc_unlocked" "ac_cv_func_fgetc_unlocked"
|
|
if test "x$ac_cv_func_fgetc_unlocked" = xyes
|
|
@@ -31257,6 +31263,12 @@ if test "x$ac_cv_func_getlogin" = xyes
|
|
then :
|
|
printf "%s\n" "#define HAVE_GETLOGIN 1" >>confdefs.h
|
|
|
|
+fi
|
|
+ac_fn_c_check_func "$LINENO" "getnetgrent" "ac_cv_func_getnetgrent"
|
|
+if test "x$ac_cv_func_getnetgrent" = xyes
|
|
+then :
|
|
+ printf "%s\n" "#define HAVE_GETNETGRENT 1" >>confdefs.h
|
|
+
|
|
fi
|
|
ac_fn_c_check_func "$LINENO" "if_nametoindex" "ac_cv_func_if_nametoindex"
|
|
if test "x$ac_cv_func_if_nametoindex" = xyes
|
|
@@ -31305,6 +31317,12 @@ if test "x$ac_cv_func_setlocale" = xyes
|
|
then :
|
|
printf "%s\n" "#define HAVE_SETLOCALE 1" >>confdefs.h
|
|
|
|
+fi
|
|
+ac_fn_c_check_func "$LINENO" "setnetgrent" "ac_cv_func_setnetgrent"
|
|
+if test "x$ac_cv_func_setnetgrent" = xyes
|
|
+then :
|
|
+ printf "%s\n" "#define HAVE_SETNETGRENT 1" >>confdefs.h
|
|
+
|
|
fi
|
|
ac_fn_c_check_func "$LINENO" "setsid" "ac_cv_func_setsid"
|
|
if test "x$ac_cv_func_setsid" = xyes
|
|
diff --git a/configure.d/config_os_functions b/configure.d/config_os_functions
|
|
index b921f8cd7b..0915928e21 100644
|
|
--- a/configure.d/config_os_functions
|
|
+++ b/configure.d/config_os_functions
|
|
@@ -25,12 +25,14 @@ AC_TYPE_SIGNAL
|
|
AC_CHECK_FUNCS([rand random srand srandom lrand48 srand48])
|
|
|
|
# Library:
|
|
-AC_CHECK_FUNCS([asprintf closedir fgetc_unlocked ] dnl
|
|
+AC_CHECK_FUNCS([asprintf closedir endnetgrent ] dnl
|
|
+ [fgetc_unlocked ] dnl
|
|
[flockfile funlockfile getipnodebyname ] dnl
|
|
- [gettimeofday getlogin ] dnl
|
|
+ [gettimeofday getlogin getnetgrent ] dnl
|
|
[if_nametoindex mkstemp ] dnl
|
|
[opendir readdir regcomp ] dnl
|
|
[setenv setitimer setlocale ] dnl
|
|
+ [setnetgrent ] dnl
|
|
[setsid snprintf strcasestr ] dnl
|
|
[strdup strerror strncasecmp ] dnl
|
|
[sysconf times vsnprintf ] )
|
|
diff --git a/include/net-snmp/net-snmp-config.h.in b/include/net-snmp/net-snmp-config.h.in
|
|
index 89b2ca116d..5efbf12400 100644
|
|
--- a/include/net-snmp/net-snmp-config.h.in
|
|
+++ b/include/net-snmp/net-snmp-config.h.in
|
|
@@ -183,6 +183,9 @@
|
|
/* Define to 1 if you have the `endfsent' function. */
|
|
#undef HAVE_ENDFSENT
|
|
|
|
+/* Define to 1 if you have the `endnetgrent' function. */
|
|
+#undef HAVE_ENDNETGRENT
|
|
+
|
|
/* Define to 1 if you have the `ERR_get_error_all' function. */
|
|
#undef HAVE_ERR_GET_ERROR_ALL
|
|
|
|
@@ -294,6 +297,9 @@
|
|
/* Define to 1 if you have the `getmntinfo' function. */
|
|
#undef HAVE_GETMNTINFO
|
|
|
|
+/* Define to 1 if you have the `getnetgrent' function. */
|
|
+#undef HAVE_GETNETGRENT
|
|
+
|
|
/* Define to 1 if you have the `getopt' function. */
|
|
#undef HAVE_GETOPT
|
|
|
|
@@ -883,6 +889,9 @@
|
|
/* Define to 1 if you have the `setmntent' function. */
|
|
#undef HAVE_SETMNTENT
|
|
|
|
+/* Define to 1 if you have the `setnetgrent' function. */
|
|
+#undef HAVE_SETNETGRENT
|
|
+
|
|
/* Define to 1 if you have the `setsid' function. */
|
|
#undef HAVE_SETSID
|
|
|
|
diff --git a/man/snmpd.conf.5.def b/man/snmpd.conf.5.def
|
|
index 2a9abd5b51..6060ed51d1 100644
|
|
--- a/man/snmpd.conf.5.def
|
|
+++ b/man/snmpd.conf.5.def
|
|
@@ -434,6 +434,14 @@ com2sec sec1 10.0.0.0/8 public
|
|
.IP
|
|
Access from outside of 10.0.0.0/8 would still be denied.
|
|
.IP
|
|
+It is also possible to reference a specific \fInetgroup\fR starting with an
|
|
+'@' character (e.g. @adminhosts). The \fInetgroup\fR lookup is running
|
|
+through the NSS (Name Services Switch) making it possible to define the
|
|
+group locally or via NIS/LDAP.
|
|
+.IP
|
|
+Note: The hostname DNS lookup and \fInetgroup\fR resolution is done only
|
|
+during snmpd start or reload.
|
|
+.IP
|
|
The same community string can be specified in several separate directives
|
|
(presumably with different source tokens), and the first source/community
|
|
combination that matches the incoming request will be selected.
|
|
diff --git a/snmplib/transports/snmpUDPDomain.c b/snmplib/transports/snmpUDPDomain.c
|
|
index 5904a1b423..8f98398704 100644
|
|
--- a/snmplib/transports/snmpUDPDomain.c
|
|
+++ b/snmplib/transports/snmpUDPDomain.c
|
|
@@ -445,6 +445,10 @@ netsnmp_udp_parse_security(const char *token, char *param)
|
|
network.s_addr = 0;
|
|
mask.s_addr = 0;
|
|
negate = 0;
|
|
+ /* Create a new com2Sec entry. */
|
|
+ rc = netsnmp_udp_com2SecEntry_create(NULL, community, secName, contextName,
|
|
+ &network, &mask, negate);
|
|
+ netsnmp_udp_com2SecEntry_check_return_code(rc);
|
|
} else {
|
|
char *strmask;
|
|
if (*source == '!') {
|
|
@@ -454,20 +458,44 @@ netsnmp_udp_parse_security(const char *token, char *param)
|
|
negate = 0;
|
|
sourcep = source;
|
|
}
|
|
- /* Parse source address and network mask. */
|
|
- if(netsnmp_udp_resolve_source(sourcep, &network, &mask)) {
|
|
- config_perror("source address/network mask parsing issue");
|
|
- return;
|
|
+#if HAVE_ENDNETGRENT && HAVE_GETNETGRENT && HAVE_SETNETGRENT
|
|
+ /* Interpret as netgroup */
|
|
+ if (*sourcep == '@') {
|
|
+ char *netgroup = sourcep+1;
|
|
+ char *host, *user, *domain;
|
|
+ if(setnetgrent(netgroup)) {
|
|
+ while (getnetgrent(&host, &user, &domain)) {
|
|
+ /* Parse source address and network mask for each netgroup host. */
|
|
+ if (netsnmp_udp_resolve_source(host, &network, &mask) == 0) {
|
|
+ /* Create a new com2Sec entry. */
|
|
+ rc = netsnmp_udp_com2SecEntry_create(NULL, community, secName, contextName,
|
|
+ &network, &mask, negate);
|
|
+ netsnmp_udp_com2SecEntry_check_return_code(rc);
|
|
+ } else {
|
|
+ config_perror("netgroup host address parsing issue");
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+ endnetgrent();
|
|
+ } else {
|
|
+ config_perror("netgroup could not be found");
|
|
+ }
|
|
+ }
|
|
+ /* Without '@' it has to be an address or hostname */
|
|
+ else
|
|
+#endif
|
|
+ {
|
|
+ /* Parse source address and network mask. */
|
|
+ if(netsnmp_udp_resolve_source(sourcep, &network, &mask) == 0) {
|
|
+ /* Create a new com2Sec entry. */
|
|
+ rc = netsnmp_udp_com2SecEntry_create(NULL, community, secName, contextName,
|
|
+ &network, &mask, negate);
|
|
+ netsnmp_udp_com2SecEntry_check_return_code(rc);
|
|
+ } else {
|
|
+ config_perror("source address/network mask parsing issue");
|
|
+ }
|
|
}
|
|
}
|
|
-
|
|
- /*
|
|
- * Everything is okay. Copy the parameters to the structure allocated
|
|
- * above and add it to END of the list.
|
|
- */
|
|
- rc = netsnmp_udp_com2SecEntry_create(NULL, community, secName, contextName,
|
|
- &network, &mask, negate);
|
|
- netsnmp_udp_com2SecEntry_check_return_code(rc);
|
|
}
|
|
|
|
void
|