[dnsdist] dnsdist 1.5.1 on Debian 10.8: snmpd socket and privileges

Aleš Rygl ales at rygl.net
Tue Feb 23 21:28:07 UTC 2021 

On 23. 02. 21 20:29, Mark Moseley via dnsdist wrote:
> On Tue, Feb 23, 2021 at 7:49 AM Remi Gacogne via dnsdist 
> <dnsdist at mailman.powerdns.com <mailto:dnsdist at mailman.powerdns.com>> 
> wrote:
>
>     Hi Aleš,
>
>     On 2/23/21 4:35 PM, Aleš Rygl via dnsdist wrote:
>     > My idea was that changing mode of agentx directory above to 755
>     could
>     > help but it is not like that. I had to force dnsdist to run with
>     root
>     > privileges to make it work again.
>     >
>     > What should be the correct setup to run dnsdist under _dnsdist
>     account
>     > again and SNMP enabled?
>
>     I _think_ you should be able to change the permissions on the
>     directory
>     once, and it should stay that way, but you probably also need to
>     set the
>     permissions on the socket itself. The documentation [1] states
>     that you
>     can do that in snmpd.conf, and our own CI actually does:
>
>     agentxperms 0700 0755
>
>     Which should set the socket permissions to 0700 and the directory
>     permissions to 0755. So if the socket is owned by _dnsdist, I
>     think that
>     should work:
>
>     agentxperms 0700 0755 _dnsdist _dnsdist
>
>
> Or if you need to play nice with other things on the system (maybe 
> other subagents are running):
>
> agentxperms 0770 0770 root agentxusers
>
> and create a unix group called 'agentxusers' with _dnsdist in it (and 
> then you can add other users requiring subagent access to that group)
>
Hi Remi,

Thanks for your immediate response. It works like a magic! Now I 
remember there were such options in snmd.conf.  I should have read the 
documentation more carefully before asking :-) The only thing I can say 
to my apology is that there was no need to touch previous version for 
more than eight months! Amazing!

@Mark, thanks. I was also considering this option.

Cheers

Ales

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20210223/25963399/attachment.htm>

More information about the dnsdist mailing list