[asterisk-dev] documentation issue: snmpd agentx permissions

[Stephane Chazelas]

Hi,

in doc/AST.txt (there seems to be a formatting issue with that
file BTW), we read:

doc> To enable access to the Asterisk SNMP subagent from a master SNMP daemon, one will need
doc> to enable AgentX support, and also make sure that Asterisk will be able to access the Unix
doc> domain socket. One way of doing this is to add the following to /etc/snmp/snmpd.conf:
doc>
doc> # Enable AgentX support
doc> master agentx
doc> # Set permissions on AgentX socket and containing
doc> # directory such that process in group 'asterisk'
doc> # will be able to connect
doc> agentXPerms 0660 0550 nobody asterisk
doc> This assumes that you run Asterisk under group 'asterisk' (and does not care what user you run
doc> as).

That is wrong. The "nobody" user should never be given any
priviledge (here the right to write to that socket but also to
change its permissions as it's the owner).

agentXPerms 0660 0550 root asterisk
or
agentXPerms 0660 0755 root asterisk

would be better, but best would be to have a dedicated group
allowed to connect to the agentx socket and make the user
running asterisk a member of that group, so that other
non-asterisk agents beside asterisk can connect.

like:
agentXPerms 0660 0755 root snmp-agentx

Note that that mistake is replicated in many places on the
web:
http://www.google.com/search?q=%22agentXPerms+0660+0550+nobody+asterisk%22

Best regards,
Stephane