Patch from Ilya Bakulin that allows to put snmpd(8) into read-only mode

so that all "set" requests will be rejected.

ok reyk@

4 files changed, 18 insertions, 9 deletions

diff --git a/usr.sbin/snmpd/parse.y b/usr.sbin/snmpd/parse.y
index 5f9c0ecfdb9..f300b0924d2 100644
--- a/usr.sbin/snmpd/parse.y
+++ b/usr.sbin/snmpd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.24 2013/03/06 21:42:40 sthen Exp $	*/
+/*	$OpenBSD: parse.y,v 1.25 2013/03/29 12:53:41 gerhard Exp $	*/
 
 /*
  * Copyright (c) 2007, 2008, 2012 Reyk Floeter <reyk@openbsd.org>
@@ -118,7 +118,7 @@ typedef struct {
 %token  LISTEN ON
 %token	SYSTEM CONTACT DESCR LOCATION NAME OBJECTID SERVICES RTFILTER
 %token	READONLY READWRITE OCTETSTRING INTEGER COMMUNITY TRAP RECEIVER
-%token	SECLEVEL NONE AUTH ENC USER AUTHKEY ENCKEY ERROR
+%token	SECLEVEL NONE AUTH ENC USER AUTHKEY ENCKEY ERROR DISABLED
 %token	<v.string>	STRING
 %token  <v.number>	NUMBER
 %type	<v.string>	hostcmn
@@ -218,6 +218,9 @@ main		: LISTEN ON STRING		{
 			}
 			free($3);
 		}
+		| READWRITE DISABLED {
+			conf->sc_readonly = 1;
+ 		}
 		| TRAP COMMUNITY STRING		{
 			if (strlcpy(conf->sc_trcommunity, $3,
 			    sizeof(conf->sc_trcommunity)) >=
@@ -487,6 +490,7 @@ lookup(char *s)
 		{ "community",		COMMUNITY },
 		{ "contact",		CONTACT },
 		{ "description",	DESCR },
+		{ "disabled",		DISABLED},
 		{ "enc",		ENC },
 		{ "enckey",		ENCKEY },
 		{ "filter-routes",	RTFILTER },
diff --git a/usr.sbin/snmpd/snmpd.conf.5 b/usr.sbin/snmpd/snmpd.conf.5
index 2c038eccdc7..10990401e6a 100644
--- a/usr.sbin/snmpd/snmpd.conf.5
+++ b/usr.sbin/snmpd/snmpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: snmpd.conf.5,v 1.21 2012/09/18 10:03:45 reyk Exp $
+.\" $OpenBSD: snmpd.conf.5,v 1.22 2013/03/29 12:53:41 gerhard Exp $
 .\"
 .\" Copyright (c) 2007, 2008, 2012 Reyk Floeter <reyk@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 18 2012 $
+.Dd $Mdocdate: March 29 2013 $
 .Dt SNMPD.CONF 5
 .Os
 .Sh NAME
@@ -89,8 +89,11 @@ Specify the name of the read-only community.
 The default value is
 .Ar public .
 .Pp
-.It Ic read-write community Ar string
-Specify the name of the read-write community.
+.It Xo
+.Ic read-write
+.Pq Ic community Ar string Ic \*(Ba\ disabled
+.Xc
+Specify the name of the read-write community, or disallow writes completely.
 The default value is
 .Ar private .
 .Pp
diff --git a/usr.sbin/snmpd/snmpd.h b/usr.sbin/snmpd/snmpd.h
index c425e9b6af6..66b81e4865d 100644
--- a/usr.sbin/snmpd/snmpd.h
+++ b/usr.sbin/snmpd/snmpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: snmpd.h,v 1.42 2013/03/06 21:42:40 sthen Exp $	*/
+/*	$OpenBSD: snmpd.h,v 1.43 2013/03/29 12:53:41 gerhard Exp $	*/
 
 /*
  * Copyright (c) 2007, 2008, 2012 Reyk Floeter <reyk@openbsd.org>
@@ -421,6 +421,7 @@ struct snmpd {
 	int			 sc_rtfilter;
 
 	int			 sc_min_seclevel;
+	int			 sc_readonly;
 };
 
 /* control.c */
diff --git a/usr.sbin/snmpd/snmpe.c b/usr.sbin/snmpd/snmpe.c
index 89a9804dbdb..e4f7c7827eb 100644
--- a/usr.sbin/snmpd/snmpe.c
+++ b/usr.sbin/snmpd/snmpe.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: snmpe.c,v 1.32 2012/11/29 14:53:24 yasuoka Exp $	*/
+/*	$OpenBSD: snmpe.c,v 1.33 2013/03/29 12:53:41 gerhard Exp $	*/
 
 /*
  * Copyright (c) 2007, 2008, 2012 Reyk Floeter <reyk@openbsd.org>
@@ -697,7 +697,8 @@ snmpe_parse(struct sockaddr_storage *ss,
 					ber_free_elements(c);
 					goto varfail;
 				case SNMP_C_SETREQ:
-					if (mps_setreq(b, &o) == 0)
+					if (env->sc_readonly == 0
+					    && mps_setreq(b, &o) == 0)
 						break;
 					msg->sm_error = SNMP_ERROR_READONLY;
 					goto varfail;