From nobody@FreeBSD.org  Fri Jan  6 17:21:54 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E163C16A423
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  6 Jan 2006 17:21:54 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C4B1443D60
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  6 Jan 2006 17:21:43 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k06HLhLo091546
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 6 Jan 2006 17:21:43 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k06HLhdP091545;
	Fri, 6 Jan 2006 17:21:43 GMT
	(envelope-from nobody)
Message-Id: <200601061721.k06HLhdP091545@www.freebsd.org>
Date: Fri, 6 Jan 2006 17:21:43 GMT
From: john fleming <john.fleming-eds@eds.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: bsnmpd needs a config option to disable write ability.
X-Send-Pr-Version: www-2.3

>Number:         91406
>Category:       bin
>Synopsis:       bsnmpd(1) needs a config option to disable write ability.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    harti
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 06 17:30:02 GMT 2006
>Closed-Date:    Tue Jan 31 12:04:20 GMT 2006
>Last-Modified:  Tue Jan 31 12:04:20 GMT 2006
>Originator:     john fleming
>Release:        6.0-R
>Organization:
pfSense
>Environment:
FreeBSD 6.0-R
>Description:
There currently is no way to disable read/write community in bsnmpd. The
default for bsnmpd is a hard coded public for both read and write community
strings. There needs to be a way to set the write (and possibly read) string
to NULL or something along those lines, to disable snmp write support.
>How-To-Repeat:
              N/A
>Fix:
two options, set write and read string to something and tell no one (NO ONE
I SAY!). Option 2, disable snmp read/write strings via a code change. Edit
contrib/bsnmp/snmpd/main.c, you should see something like..

	(void)comm_define(1, "SNMP read", NULL, "public");
	(void)comm_define(2, "SNMP write", NULL, "public");


change both "public"s to NULL. (no quote marks).

then rebuild bnmpd.

# stop bsnmpd first.

cd /usr/src/usr.sbin/bsnmpd
make obj
make depend
make
make install

# restart bsnmpd

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-doc->harti 
Responsible-Changed-By: simon 
Responsible-Changed-When: Sat Jan 7 10:15:29 UTC 2006 
Responsible-Changed-Why:  
Over to bsnmp maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=91406 

From: Harti Brandt <hartmut.brandt@dlr.de>
To: bug-followup@freebsd.org, john.fleming-eds@eds.com
Cc:  
Subject: Re: bin/91406
Date: Tue, 10 Jan 2006 13:13:19 +0100 (CET)

 Hi John,
 
 I have committed a vendor fix to set the default communities to NULL. I've 
 also commented the snmpd.config file accordingly, but have left the read 
 community in that config file as 'public'. This disables write access, but 
 leaves read access as it is now. Read access can also be disable by 
 commenting out the config line (but an SNMP daemon with no access 
 altogether is of rather questionable value :-). Is that ok for you.
 
 harti

From: "Fleming, John \(ZeroChaos\)" <john.fleming-eds@eds.com>
To: "Harti Brandt" <harti@freebsd.org>, <bug-followup@freebsd.org>
Cc:  
Subject: RE: bin/91406
Date: Tue, 10 Jan 2006 12:54:45 -0600

 That's great, thanks!
 
 (didn't reply all last time)
 
 -----Original Message-----
 From: Harti Brandt [mailto:hartmut.brandt@dlr.de]=20
 Sent: Tuesday, January 10, 2006 6:13 AM
 To: bug-followup@freebsd.org; Fleming, John (ZeroChaos)
 Subject: Re: bin/91406
 
 
 Hi John,
 
 I have committed a vendor fix to set the default communities to NULL.
 I've=20
 also commented the snmpd.config file accordingly, but have left the read
 
 community in that config file as 'public'. This disables write access,
 but=20
 leaves read access as it is now. Read access can also be disable by=20
 commenting out the config line (but an SNMP daemon with no access=20
 altogether is of rather questionable value :-). Is that ok for you.
 
 harti
State-Changed-From-To: open->closed 
State-Changed-By: harti 
State-Changed-When: Tue Jan 31 12:03:36 UTC 2006 
State-Changed-Why:  
Default communities have been set to NULL thus effectively disabling 
any access without editing the config file. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=91406 
>Unformatted:
