Configuring net-snmp (snmpwalk command) access to /bin

Hi everyone,

I’m very new here (and the field in general), so I appreciate your patience if there’s a simple solution to this.

I am trying to test a simple echo 'Hi' script in my /tmp directory by having snmpwalk print the output of the NET-SNMP-EXTEND-MIB. I’ve decided to change this to /bin, however. I configured the extend directive in the appropriate snmpd.conf to point to this script, and all the typical rwx permissions for the script look fine at first glance.

nsExtendCommand shows the correct script mapped in the output of the snmpwalk, but the nsExtendOutputFull shows a blank string, with an nsExtendResult of integer 1. This leads me to believe there’s still something in the way of snmpwalk getting to the script. I confimed this by putting the script in the /var/snap/net-snmp/27 directory, adjusting the extend directive in the snmpd.conf file to point to the script, and getting the desired output I’m looking for.

I’ve looked into AppArmor profiles that may be to blame, but the two that were sticking out to me (snap.net-snmp.snmpwalk and snap.net-snmp.snmpd) did not yield results when I added a /bin/script rix access rule. I also tried temporarily disabling the profiles, but that caused the net-snmp service to go down (at least from the perspective of OpenNMS, which is the bigger project I’ve been trying to configure and test).

I’m now thinking it has to do with the snapcraft.yaml configurations for the net-snmp package. Only the network and network-bind plugs show as configured in the snap connections net-snmp output. I’ve read that configuring the system-files interface would probably be necessary to let snmpwalk access /bin, is that correct? And if so, do I need to reinstall the whole package to manage this?

Any help would be appreciated!

The /tmp directory is snap specific and not shared outside of the sandbox, so if you want to put anything into /tmp it must happen from within the snap environment…

Is there any way to configure access to limited resources outside of the sandbox?

Yes that is what interfaces are for, what exactly do you want to share how/where?

I’m eventually trying to have net-snmp access a service monitor script that I’m putting on the localhost. So far, I was just testing an echo script to make sure it was able to access correctly.

I guess I can just put the monitor in the sandboxed /tmp directory (tested this and it worked), but for better understanding of the interfaces in practice, I think it would be good to know how to set up an appropriate interface in a case like this. Let’s just say in this simplified case, the snap environment would just need to access/execute that single file on the localhost.

I will look at the documentation for that to see if I have other concerns.

Thank you for clarifying the sandboxing!

1 Like