int vacm_warn_if_not_configured(int majorID, int minorID, void *serverarg, void *clientarg) { const char * name = netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_APPTYPE); const int agent_mode = netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID, NETSNMP_DS_AGENT_ROLE); if (NULL==name) name = "snmpd"; if (!vacm_is_configured()) { /* * An AgentX subagent relies on the master agent to apply suitable * access control checks, so doesn't need local VACM configuration. * The trap daemon has a separate check (see below). * * Otherwise, an AgentX master or SNMP standalone agent requires some * form of VACM configuration. No config means that no incoming * requests will be accepted, so warn the user accordingly. */ if ((MASTER_AGENT == agent_mode) && (strcmp(name, "snmptrapd") != 0)) { snmp_log(LOG_WARNING, "Warning: no access control information configured.\n" " (Config search path: %s)\n" " It's unlikely this agent can serve any useful purpose in this state.\n" " Run \"snmpconf -g basic_setup\" to help you " "configure the %s.conf file for this agent.\n", get_configuration_directory(), name); } /* * The trap daemon implements VACM-style access control for incoming * notifications, but offers a way of turning this off (for backwards * compatability). Check for this explicitly, and warn if necessary. * * NB: The NETSNMP_DS_APP_NO_AUTHORIZATION definition is a duplicate * of an identical setting in "apps/snmptrapd_ds.h". * These two need to be kept in synch. */ #ifndef NETSNMP_DS_APP_NO_AUTHORIZATION #define NETSNMP_DS_APP_NO_AUTHORIZATION 17 #endif if (!strcmp(name, "snmptrapd") && !netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID, NETSNMP_DS_APP_NO_AUTHORIZATION)) { snmp_log(LOG_WARNING, "Warning: no access control information configured.\n" " (Config search path: %s)\n" "This receiver will *NOT* accept any incoming notifications.\n", get_configuration_directory()); } } return SNMP_ERR_NOERROR; }
/** * Authorizes incoming notifications for further processing */ int netsnmp_trapd_auth(netsnmp_pdu *pdu, netsnmp_transport *transport, netsnmp_trapd_handler *handler) { int ret = 0; oid snmptrapoid[] = { 1,3,6,1,6,3,1,1,4,1,0 }; size_t snmptrapoid_len = OID_LENGTH(snmptrapoid); int i; netsnmp_pdu *newpdu = pdu; netsnmp_variable_list *var; /* check to see if authorization was not disabled */ if (netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID, NETSNMP_DS_APP_NO_AUTHORIZATION)) { DEBUGMSGTL(("snmptrapd:auth", "authorization turned off: not checking\n")); return NETSNMPTRAPD_HANDLER_OK; } /* bail early if called illegally */ if (!pdu || !transport || !handler) return NETSNMPTRAPD_HANDLER_FINISH; /* convert to v2 so we can check it in a consistent manner */ #ifndef NETSNMP_DISABLE_SNMPV1 if (pdu->version == SNMP_VERSION_1) { newpdu = convert_v1pdu_to_v2(pdu); if (!newpdu) { snmp_log(LOG_ERR, "Failed to duplicate incoming PDU. Refusing to authorize.\n"); return NETSNMPTRAPD_HANDLER_FINISH; } } #endif if (!vacm_is_configured()) { #ifndef NETSNMP_DISABLE_SNMPV1 if (newpdu != pdu) snmp_free_pdu(newpdu); #endif snmp_log(LOG_WARNING, "No access configuration - dropping trap.\n"); return NETSNMPTRAPD_HANDLER_FINISH; } /* loop through each variable and find the snmpTrapOID.0 var indicating what the trap is we're staring at. */ for (var = newpdu->variables; var != NULL; var = var->next_variable) { if (netsnmp_oid_equals(var->name, var->name_length, snmptrapoid, snmptrapoid_len) == 0) break; } /* make sure we can continue: we found the snmpTrapOID.0 and its an oid */ if (!var || var->type != ASN_OBJECT_ID) { snmp_log(LOG_ERR, "Can't determine trap identifier; refusing to authorize it\n"); #ifndef NETSNMP_DISABLE_SNMPV1 if (newpdu != pdu) snmp_free_pdu(newpdu); #endif return NETSNMPTRAPD_HANDLER_FINISH; } #ifdef USING_MIBII_VACM_CONF_MODULE /* check the pdu against each typo of VACM access we may want to check up on later. We cache the results for future lookup on each call to netsnmp_trapd_check_auth */ for(i = 0; i < VACM_MAX_VIEWS; i++) { /* pass the PDU to the VACM routine for handling authorization */ DEBUGMSGTL(("snmptrapd:auth", "Calling VACM for checking phase %d:%s\n", i, se_find_label_in_slist(VACM_VIEW_ENUM_NAME, i))); if (vacm_check_view_contents(newpdu, var->val.objid, var->val_len/sizeof(oid), 0, i, VACM_CHECK_VIEW_CONTENTS_DNE_CONTEXT_OK) == VACM_SUCCESS) { DEBUGMSGTL(("snmptrapd:auth", " result: authorized\n")); ret |= 1 << i; } else { DEBUGMSGTL(("snmptrapd:auth", " result: not authorized\n")); } } DEBUGMSGTL(("snmptrapd:auth", "Final bitmask auth: %x\n", ret)); #endif if (ret) { /* we have policy to at least do "something". Remember and continue. */ lastlookup = ret; #ifndef NETSNMP_DISABLE_SNMPV1 if (newpdu != pdu) snmp_free_pdu(newpdu); #endif return NETSNMPTRAPD_HANDLER_OK; } /* No policy was met, so we drop the PDU from further processing */ DEBUGMSGTL(("snmptrapd:auth", "Dropping unauthorized message\n")); #ifndef NETSNMP_DISABLE_SNMPV1 if (newpdu != pdu) snmp_free_pdu(newpdu); #endif return NETSNMPTRAPD_HANDLER_FINISH; }