The UK Home Automation Archive

Archive Home

Group Home

Search Archive
Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OT]Adding MIBs to netSNMP

To: <ukha_d@xxxxxxx>
Subject: Re: [OT]Adding MIBs to netSNMP
From: "Shaf Ali" <shaf@xxxxxxx>
Date: Mon, 24 Nov 2003 00:56:30 -0000
Mailing-list: list ukha_d@xxxxxxx; contact ukha_d-owner@xxxxxxx
References: <EIEGLLIJCBJLLJOMOGKGIEIGDOAA.dean@xxxxxxx>
Reply-to: ukha_d@xxxxxxx

Heh I stumbled on the SNMP modules for PHP whilst reading the docos the
other day and may play with in the future.

Q is How secure do you want things ? Just tighten up the nobody account :
nobody:x:99:99:Nobody:/:/sbin/nologin

/sbin/nologin is a must : $HOME = /home/nobody (would change this from
/)...

try to ensure nobody has no access to critical files on your box.

If you own the webserver and the user nobody you should really have nothing
to worry about.... I have had instances where I had to hack apache to run
suid (root) dangerous shit again no problems with security because I
control
the scripts....

Finally and primarily ensure your PHP scripts dont give hackers a backdoor
eg foo.php?path=somepathonfilesystem (u know silly stuff like that).

better way / paranoia mode ? have a system script or daemon that does your
SNMP and php reads or talks to it.

Sometimes it good to be over secure sometimes not.... The amount of times I
have been locked out for being over secure is unreal... I once had to
bounce
off 2 SSH proxies to get into a box shesh.

Sweet dreams,
Shaf

----- Original Message -----
From: "Dean Smith" <ukha@xxxxxxx>
To: "Ukha_D@Yahoogroups. Com" <ukha_d@xxxxxxx>
Sent: Sunday, November 23, 2003 4:47 PM
Subject: [ukha_d] [OT]Adding MIBs to netSNMP


> I know there are a few *nix Gurus around so wondering if anyone can
help...
>
> I have some software which uses NetSNMP via some PHP pages running via
> apache and I have a custom MIB I am looking at. I can use the MIB to
get
> names for OIDs via the command line by either forcing the command line
util
> to use all my MIBs (-m ALL) or by adding it to $HOME/.snmp/snmp.conf.
>
> Now as far as I can tell a PHP script is executed by apache as user
> "nobody". On my install (a pretty default RedHat8 + Apache)
the home dir
for
> "nobody" is "/". So I added a "/.snmp"
dir and snmp.comf file, then set
> owner and group to "nobody". Now it works - the PHP script
is making use
of
> the new custom MIB ..... BUT
>
> is this safe ? is there a better way ?
>
> Thanks
>
> Dean
>
> ls -al .*
>
> .snmp:
> total 12
> drwxr-xr-x    2 nobody   nobody       4096 Nov 23 16:37 .
> drwxr-xr-x   20 root     root         4096 Nov 23 16:37 ..
> -rw-r--r--    1 nobody   nobody         10 Nov 23 16:37 snmp.conf
>
>
>
>
>
> UKHA 2004: 15th and 16th May 2004
>
> http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe:  ukha_d-subscribe@xxxxxxx
> Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> List owner:  ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>

References:
- [OT]Adding MIBs to netSNMP
  - From: "Dean Smith" <ukha@xxxxxxx>

Prev by Date: Re: New Barcode Database now online
Next by Date: Re: re Network MP3 and then Multi-room Distribution
Previous by thread: [OT]Adding MIBs to netSNMP
Next by thread: New Barcode Database now online
Index(es):
- Date
- Thread

Home | Main Index | Thread Index

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.