Ubuntu
net-snmp package

Forced bind to 127.0.0.1 is "hardcoded' into /etc/default/snmpd instead of option in /etc/snmp/snmpd.conf

Bug #74896 reported by Peter de Kraker
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
net-snmp (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

Binary package hint: snmpd

I have been struggling to get remote snmp reads from several of my machines.
/etc/snmp/snmpd.conf was set up correctly. snmpwalk from localhost did work, a snmpwalk from a remote host however didn't work.

After lots of debugging, trying etc. I found out that snmpd binds itself to 127.0.0.1 . Accorder to EVERY faq and manual that I read, the default behaviour of snmpd is to listen on every interface.
However, specifying in /etc/snmp/snmpd.conf to force the agent to listen on every socket doesn't work. It crashed the server.

It appears that the 127.0.0.1 is "hardcoded" into /etc/default/snmpd. This script/settings file is used by the /etc/init.d/snmpd init script.
The following line is responsible for the 127.0.0.1 bind.
"SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I
-smux -p /var/run/snmpd.pid 127.0.0.1'"

After removing the 127.0.0.1 I could finally query the remote machine.

Dave Shield, one of the developers of net-snmp, confirmed that this way of starting snmpd indeed binds it to 127.0.0.1

He also confirmed that this is something that probably the Ubuntu Devs changed:
"It's an defensible configuration, but it's not one that many distributions use. It's certainly not something that we ship ourselves. "

If it is really necessary to restrict remote snmp acces, I strongly suggest to do this by changing the default configuration of snmpd in /etc/snmp/snmpd.conf by adding:
 "agentaddress 127.0.0.1"
This results in the same behaviour as adding the 127.0.0.1 to /etc/default/snmpd
 This way, users will see that the default option is to bind to 127.0.0.1 and can change this easily.

It is very illogical and not user-friendly to expect the user to find out that there is a /etc/defaults/snmpd file that is causing the problem.

Since this is a very easy and also elegant way to solve the problem, I really hope this change can be made. It would solve a lot of frustrations for people trying to get snmpd to work.

Summary of proposed changes:

=> /etc/default/snmpd
change "SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I
-smux -p /var/run/snmpd.pid 127.0.0.1'"
to "SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I
-smux -p /var/run/snmpd.pid'"

=> /etc/snmp/snmpd.conf
add "agentaddress 127.0.0.1"

Revision history for this message
Adam Lewandowski (adam-alewando) wrote :

+1 for this. I just wasted 30 minutes playing with the snmpd.conf file trying (unsuccessfuly) to enable remote connections. Having to modify /etc/default/snmpd is not intuitive and will not be found by the average user. Besides, why would you want to run snmpd without allowing remote connections?

Revision history for this message
YannTech (yanntech) wrote :

+1 I have lost many time to found this bug.
This is only for security reason to bind on loopback ?

John Anderson (john-e-anderson)
Changed in net-snmp:
status: New → Confirmed
Revision history for this message
Bjorn Ruud (bjorn-ruud) wrote :

+1. It took me a while to figure this out. Putting the option in snmpd.conf is a lot more intuitive.

Revision history for this message
Jason Spashett (jspashett) wrote :

+1 I think. This is somewhat confusing.

Putting agentaddress 127.0.0.1 at the the top of snmpd.conf instead of in .../defaults/.. would seem reasonable and quite helpful. However I am not entirely familiar with the way defaults functions.

Revision history for this message
Tony Montuori (tony-dragonsroost) wrote :

+1

Don't change a package's default behavior without putting notification in an obvious, intuitive place.

Revision history for this message
Andy Brody (abrody) wrote :

+1

I just spent quite some time trying to figure this out, and only now happened upon this bug report.

Revision history for this message
Chuck Short (zulcss) wrote :

Thanks for the bug report. I will consider this for karmic+1

Changed in net-snmp (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
as69 (as69) wrote :

Thanks for this Bug Report! It also helped me solving my issue.

Revision history for this message
Boyan Sotirov (lz1dsb) wrote :

Peter,
You rule mate! I stumbled on exactly the same problem today and spend so much time figuring out what was going wrong. In my case I'm using Ubuntu 9.04 and I found that the only change I need to do is in the /etc/snmp/snmpd.conf. I added there agentaddress <local_ip_address>. In this case it works also when I'm using snmpwalk with "localhost" option. So I haven't touched the default configuration. Thanks a lot for this post.

Revision history for this message
houstonbofh (leesharp) wrote :

All me to add my support. I am NOT new to this. I have written snmp apps...

This behavior goes against the man pages, the snmpconf tool, and most of what you find on Google. At the least, we need to add to the comments of the /etc/snmpd/snmpd.conf that /etc/default/snmpd exists.

Revision history for this message
Chuck Short (zulcss) wrote :

This is done in natty now.

chuck

Changed in net-snmp (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.