int
vacm_warn_if_not_configured(int majorID, int minorID, void *serverarg,
void *clientarg)
{
const char * name = netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID,
NETSNMP_DS_LIB_APPTYPE);
const int agent_mode = netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID,
NETSNMP_DS_AGENT_ROLE);
if (NULL==name)
name = "snmpd";
if (!vacm_is_configured()) {
/*
* An AgentX subagent relies on the master agent to apply suitable
* access control checks, so doesn't need local VACM configuration.
* The trap daemon has a separate check (see below).
*
* Otherwise, an AgentX master or SNMP standalone agent requires some
* form of VACM configuration. No config means that no incoming
* requests will be accepted, so warn the user accordingly.
*/
if ((MASTER_AGENT == agent_mode) && (strcmp(name, "snmptrapd") != 0)) {
snmp_log(LOG_WARNING,
"Warning: no access control information configured.\n"
" (Config search path: %s)\n"
" It's unlikely this agent can serve any useful purpose in this state.\n"
" Run \"snmpconf -g basic_setup\" to help you "
"configure the %s.conf file for this agent.\n",
get_configuration_directory(), name);
}
/*
* The trap daemon implements VACM-style access control for incoming
* notifications, but offers a way of turning this off (for backwards
* compatability). Check for this explicitly, and warn if necessary.
*
* NB: The NETSNMP_DS_APP_NO_AUTHORIZATION definition is a duplicate
* of an identical setting in "apps/snmptrapd_ds.h".
* These two need to be kept in synch.
*/
#ifndef NETSNMP_DS_APP_NO_AUTHORIZATION
#define NETSNMP_DS_APP_NO_AUTHORIZATION 17
#endif
if (!strcmp(name, "snmptrapd") &&
!netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID,
NETSNMP_DS_APP_NO_AUTHORIZATION)) {
snmp_log(LOG_WARNING,
"Warning: no access control information configured.\n"
" (Config search path: %s)\n"
"This receiver will *NOT* accept any incoming notifications.\n",
get_configuration_directory());
}
}
return SNMP_ERR_NOERROR;
}
/**
* Authorizes incoming notifications for further processing
*/
int
netsnmp_trapd_auth(netsnmp_pdu *pdu,
netsnmp_transport *transport,
netsnmp_trapd_handler *handler)
{
int ret = 0;
oid snmptrapoid[] = { 1,3,6,1,6,3,1,1,4,1,0 };
size_t snmptrapoid_len = OID_LENGTH(snmptrapoid);
int i;
netsnmp_pdu *newpdu = pdu;
netsnmp_variable_list *var;
/* check to see if authorization was not disabled */
if (netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID,
NETSNMP_DS_APP_NO_AUTHORIZATION)) {
DEBUGMSGTL(("snmptrapd:auth",
"authorization turned off: not checking\n"));
return NETSNMPTRAPD_HANDLER_OK;
}
/* bail early if called illegally */
if (!pdu || !transport || !handler)
return NETSNMPTRAPD_HANDLER_FINISH;
/* convert to v2 so we can check it in a consistent manner */
#ifndef NETSNMP_DISABLE_SNMPV1
if (pdu->version == SNMP_VERSION_1) {
newpdu = convert_v1pdu_to_v2(pdu);
if (!newpdu) {
snmp_log(LOG_ERR, "Failed to duplicate incoming PDU. Refusing to authorize.\n");
return NETSNMPTRAPD_HANDLER_FINISH;
}
}
#endif
if (!vacm_is_configured()) {
#ifndef NETSNMP_DISABLE_SNMPV1
if (newpdu != pdu)
snmp_free_pdu(newpdu);
#endif
snmp_log(LOG_WARNING, "No access configuration - dropping trap.\n");
return NETSNMPTRAPD_HANDLER_FINISH;
}
/* loop through each variable and find the snmpTrapOID.0 var
indicating what the trap is we're staring at. */
for (var = newpdu->variables; var != NULL; var = var->next_variable) {
if (netsnmp_oid_equals(var->name, var->name_length,
snmptrapoid, snmptrapoid_len) == 0)
break;
}
/* make sure we can continue: we found the snmpTrapOID.0 and its an oid */
if (!var || var->type != ASN_OBJECT_ID) {
snmp_log(LOG_ERR, "Can't determine trap identifier; refusing to authorize it\n");
#ifndef NETSNMP_DISABLE_SNMPV1
if (newpdu != pdu)
snmp_free_pdu(newpdu);
#endif
return NETSNMPTRAPD_HANDLER_FINISH;
}
#ifdef USING_MIBII_VACM_CONF_MODULE
/* check the pdu against each typo of VACM access we may want to
check up on later. We cache the results for future lookup on
each call to netsnmp_trapd_check_auth */
for(i = 0; i < VACM_MAX_VIEWS; i++) {
/* pass the PDU to the VACM routine for handling authorization */
DEBUGMSGTL(("snmptrapd:auth", "Calling VACM for checking phase %d:%s\n",
i, se_find_label_in_slist(VACM_VIEW_ENUM_NAME, i)));
if (vacm_check_view_contents(newpdu, var->val.objid,
var->val_len/sizeof(oid), 0, i,
VACM_CHECK_VIEW_CONTENTS_DNE_CONTEXT_OK)
== VACM_SUCCESS) {
DEBUGMSGTL(("snmptrapd:auth", " result: authorized\n"));
ret |= 1 << i;
} else {
DEBUGMSGTL(("snmptrapd:auth", " result: not authorized\n"));
}
}
DEBUGMSGTL(("snmptrapd:auth", "Final bitmask auth: %x\n", ret));
#endif
if (ret) {
/* we have policy to at least do "something". Remember and continue. */
lastlookup = ret;
#ifndef NETSNMP_DISABLE_SNMPV1
if (newpdu != pdu)
snmp_free_pdu(newpdu);
#endif
return NETSNMPTRAPD_HANDLER_OK;
}
/* No policy was met, so we drop the PDU from further processing */
DEBUGMSGTL(("snmptrapd:auth", "Dropping unauthorized message\n"));
#ifndef NETSNMP_DISABLE_SNMPV1
if (newpdu != pdu)
snmp_free_pdu(newpdu);
#endif
return NETSNMPTRAPD_HANDLER_FINISH;
}
