Bug 110931

Summary: snmpd opens port 199 (smux) even if smuxpeer isn't present
Product: Red Hat Enterprise Linux 3 Reporter: Bastien Nocera <bnocera>
Component: net-snmpAssignee: Radek Vokál <rvokal>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: jan.iven, pere_camps, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-08-17 08:09:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bastien Nocera 2003-11-25 16:41:39 UTC 
-(~)-> sudo rpm -Uvh /tmp/net-snmp-5.0.8-11.i386.rpm
/tmp/beecrypt-3.0.1-0.20030630.i386.rpm
Preparing...               
########################################### [100%]
   1:beecrypt              
########################################### [ 50%]
   2:net-snmp              
########################################### [100%]
-(~)-> chkconfig --list | grep snmp
snmpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off
snmptrapd       0:off   1:off   2:off   3:off   4:off   5:off   6:off
-(~)-> sudo service snmpd start
Starting snmpd:                                            [  OK  ]
-(~)-> netstat -a | grep smux
tcp        0      0 *:smux                  *:*                     LISTEN
-(~)-> grep smux /etc/snmp/snmpd.conf
-(~)->
Comment 1 Radek Vokál 2004-08-17 08:09:24 UTC 
Smux is automatically initiated by snmpd

http://www.networksorcery.com/enp/rfc/rfc1227.txt
Comment 2 Jan Iven 2005-12-06 11:38:41 UTC 
As per RFC1227:
  [..] This mechanism would be local to the host.

We open a TCP port bound to default address, i.e. visible on the network in general.
In addition, SMUX appears to have been deprecated in favour of agentX,
RFC2741/2, and apparently would only be useful for some legacy applications. The
code is old, and opening SMUX even if not configured is exposing the host to
unneccesary risk (even if access control is supposed to happen on such
connections). Binding to localhost only would also enhance the host security.

A patch exists at
http://lists.quagga.net/pipermail/quagga-dev/2004-October/001617.html
that promises to turn off SMUX unless (one or more) smuxpeers have explicitly
been configured.

"How to turn off SMUX" is actually a FAQ for net-snmp, see
http://www.net-snmp.org/docs/FAQ.html#How_can_I_turn_off_SMUX_support_ (the
workaround there is probably nothing one would like on a production system).

Please re-open.