Vendor fix: make the default read and write communities NULL. This

basically disables any access unless other strings are set in the config
file. Note, that there is no way to set the communities back to NULL once
they're set to something not NULL.

2 files changed, 17 insertions, 3 deletions

diff --git a/contrib/bsnmp/snmpd/main.c b/contrib/bsnmp/snmpd/main.c
index 37ae33e7bc21..02ae93e2e838 100644
--- a/contrib/bsnmp/snmpd/main.c
+++ b/contrib/bsnmp/snmpd/main.c
@@ -1462,8 +1462,8 @@ main(int argc, char *argv[])
 	/*
 	 * Get standard communities
 	 */
-	(void)comm_define(1, "SNMP read", NULL, "public");
-	(void)comm_define(2, "SNMP write", NULL, "public");
+	(void)comm_define(1, "SNMP read", NULL, NULL);
+	(void)comm_define(2, "SNMP write", NULL, NULL);
 	community = COMM_INITIALIZE;
 
 	trap_reqid = reqid_allocate(512, NULL);
diff --git a/contrib/bsnmp/snmpd/snmpd.config b/contrib/bsnmp/snmpd/snmpd.config
index 8de767cc1ab5..4b018e82285e 100644
--- a/contrib/bsnmp/snmpd/snmpd.config
+++ b/contrib/bsnmp/snmpd/snmpd.config
@@ -42,6 +42,8 @@ traphost := noc.bar.com
 trapport := 162
 
 read := "public"
+# Uncomment the line below that sets the community string
+# to enable write access.
 write := "geheim"
 trap := "mytrap"
 
@@ -52,8 +54,20 @@ trap := "mytrap"
 begemotSnmpdDebugDumpPdus	= 2
 begemotSnmpdDebugSyslogPri	= 7
 
+#
+# Set the read and write communities.
+#
+# The default value of the community strings is NULL (note, that this is
+# different from the empty string). This disables both read and write access.
+# To enable read access only the read community string must be set. Setting
+# the write community string enables both read and write access with that
+# string.
+#
+# Be sure to understand the security implications of SNMPv2 - the community
+# strings are readable on the wire!
+#
 begemotSnmpdCommunityString.0.1	= $(read)
-begemotSnmpdCommunityString.0.2	= $(write)
+# begemotSnmpdCommunityString.0.2	= $(write)
 begemotSnmpdCommunityDisable	= 1
 
 # open standard SNMP ports