Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

snmpsim import error while running with root #53

Closed
dhilst opened this issue Jan 6, 2019 · 16 comments
Closed

snmpsim import error while running with root #53

dhilst opened this issue Jan 6, 2019 · 16 comments

Comments

@dhilst
Copy link

dhilst commented Jan 6, 2019

Hi

I'm trying to use snmpsim to simulate response from a switch. I need to open 161 port to get the management end fooled by snmpsim. I ran it as normal user without problems but when I ran it as root it gives-me an error.

(snmpsim-env) [root@management ~]# snmpsimd.py --data-dir ./data --agent-udpv4-endpoint=192.168.123.2:1611 --process-user=nobody --process-group=nobody
Scanning "/root/.snmpsim/variation" directory for variation modules...
Directory "/root/.snmpsim/variation" does not exist
Scanning "/root/snmpsim-env/snmpsim/variation" directory for variation modules...
Directory "/root/snmpsim-env/snmpsim/variation" does not exist
Scanning "/root/snmpsim-env/share/snmpsim/variation" directory for variation modules...
Directory "/root/snmpsim-env/share/snmpsim/variation" does not exist
Scanning "/root/snmpsim-env/lib/python2.7/site-packages/snmpsim/variation" directory for variation modules...
Directory "/root/snmpsim-env/lib/python2.7/site-packages/snmpsim/variation" does not exist
ERROR: SNMPv3 Engine initialization failed, EngineID "auto": local variable 'p' referenced before assignment
(snmpsim-env) [root@management ~]#

Regards

@dhilst
Copy link
Author

dhilst commented Jan 6, 2019

I tried to run this on Fedora with python3 and 2, and on Centos7 with python 2. In both distros it works with normal user but doesn't with root. The nobody group is present on both systems.

Here is pip freeze

(snmpsim-env) [root@management ~]# pip freeze
ply==3.11
pyasn1==0.4.5
pycryptodomex==3.7.2
pysmi==0.3.3
pysnmp==4.4.8
snmpsim==0.4.5

@etingof
Copy link
Owner

etingof commented Jan 6, 2019

I can't reproduce this issue so far. Is there any traceback revealing line number? Or may be you could run snmpsimd with --debug all in hope that this will give us more hints on where exactly it fails?

@dhilst
Copy link
Author

dhilst commented Jan 7, 2019

I can get a stack trace for you, I track it down to the pysnmp, an import error happens at ZipMibBuider or something like this. I send it to you tonight! (I'm not in home now)

@dhilst
Copy link
Author

dhilst commented Jan 7, 2019

ImportError here https://github.com/etingof/pysnmp/blob/master/pysnmp/smi/builder.py#L161
and them it follows to https://github.com/etingof/pysnmp/blob/master/pysnmp/smi/builder.py#L229 where listdir fails before p is assigned, and is referred here: https://github.com/etingof/pysnmp/blob/master/pysnmp/smi/builder.py#L239

I was trying to get something alike with normal user but it seems to take totally different path. I notice that ZipMibSource was never invoked with user. The same break points aren't reached. What I could see is that with root it enters at https://github.com/etingof/snmpsim/blob/master/scripts/snmpsimd.py#L1200 where the user doesn't. It could be something on my environment? I have a VM where is triggering this behavior, I can share with you.

@dhilst
Copy link
Author

dhilst commented Jan 8, 2019

Here it is:

(snmpsim) [root@localhost ~]# snmpsimd.py --data-dir ./data --agent-udpv4-endpoint=192.168.123.1:1611 --process-user=nobody --process-group=nobody
Scanning "/root/.snmpsim/variation" directory for variation modules...
Directory "/root/.snmpsim/variation" does not exist
Scanning "/root/snmpsim/snmpsim/variation" directory for variation modules...
Directory "/root/snmpsim/snmpsim/variation" does not exist
Scanning "/root/snmpsim/share/snmpsim/variation" directory for variation modules...
Directory "/root/snmpsim/share/snmpsim/variation" does not exist
Scanning "/root/snmpsim/lib64/python3.6/site-packages/snmpsim/variation" directory for variation modules...
Directory "/root/snmpsim/lib64/python3.6/site-packages/snmpsim/variation" does not exist
> /root/snmpsim/lib64/python3.6/site-packages/pysnmp/smi/builder.py(240)_getData()
(Pdb) bt
  /root/snmpsim/bin/snmpsimd.py(1363)<module>()
  /root/snmpsim/lib64/python3.6/site-packages/pysnmp/entity/engine.py(63)__init__()
  /root/snmpsim/lib64/python3.6/site-packages/pysnmp/proto/rfc3412.py(32)__init__()
  /root/snmpsim/lib64/python3.6/site-packages/pysnmp/smi/builder.py(381)loadModules()
  /root/snmpsim/lib64/python3.6/site-packages/pysnmp/smi/builder.py(321)loadModule()
  /root/snmpsim/lib64/python3.6/site-packages/pysnmp/smi/builder.py(81)read()
> /root/snmpsim/lib64/python3.6/site-packages/pysnmp/smi/builder.py(240)_getData()
(Pdb) why
PermissionError(13, 'Permission denied')
(Pdb) 

@dhilst
Copy link
Author

dhilst commented Jan 8, 2019

This may be useful too:

(Pdb) self._srcName
'pysnmp.smi.mibs'
(Pdb) 

@etingof
Copy link
Owner

etingof commented Jan 8, 2019

Thank you for the thorough report! This reminds me that we've had similar problem in OpenStack...

Commit etingof/pysnmp@fd7f6a7 in the release-4.4.9 branch should have fixed this problem.

I wonder if you could give it a try before I make a release?

@dhilst
Copy link
Author

dhilst commented Jan 9, 2019

For sure! I will ask you some patience since my Fedora died at the last update, I still have the VMs, as soon as I have my desk up to date I check it out for you. Regards!

@etingof
Copy link
Owner

etingof commented Jan 10, 2019

No worries, take your time!

@dhilst
Copy link
Author

dhilst commented Jan 14, 2019

I have another problem right now, the release-4.4.9. dropPrivileges('nobody, 'nobody') break SnmpEngine()

(snmpsim-env) [root@localhost ~]# python
Python 3.7.2 (default, Jan  3 2019, 09:14:01) 
[GCC 8.2.1 20181215 (Red Hat 8.2.1-6)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pysnmp.entity.engine import SnmpEngine
>>> from snmpsim.daemon import dropPrivileges
>>> 
>>> SnmpEngine()
SnmpEngine(snmpEngineID=<SnmpEngineID value object at 0x7fd6ac757198 tagSet <TagSet object at 0x7fd6af2dcc88 tags 0:0:4> subtypeSpec <ConstraintsIntersection object at 0x7fd6ac757358 consts <ValueSizeConstraint object at 0x7fd6af2b8080 consts 0, 65535>, <ValueSizeConstraint object at 0x7fd6ac757320 consts 5, 32>> encoding iso-8859-1 payload [0x80004fb8056c6f...63616c6413be2f88]>)
>>> 
>>> 
>>> dropPrivileges('nobody', 'nobody')
>>> SnmpEngine()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/root/snmpsim-env/lib64/python3.7/site-packages/pysnmp/entity/engine.py", line 91, in __init__
  File "/root/snmpsim-env/lib64/python3.7/site-packages/pysnmp/smi/builder.py", line 426, in importSymbols
pysnmp.smi.error.MibNotFoundError: No module __SNMP-FRAMEWORK-MIB loaded at <pysnmp.smi.builder.MibBuilder object at 0x7fd6ac770be0>
>>> 

@dhilst
Copy link
Author

dhilst commented Jan 14, 2019

This is a better way of running the test:

from unittest import TestCase, main

from snmpsim.daemon import dropPrivileges
from pysnmp.entity.engine import SnmpEngine


class DropPrivileges(TestCase):
    def test_dropPrivileges(self):
        'SnmpEngine should work after dropping privileges' 
        dropPrivileges('nobody', 'nobody')
        SnmpEngine()


if __name__ == '__main__':
    main(verbosity=2)

@dhilst
Copy link
Author

dhilst commented Jan 14, 2019

I just created a pull request, for this. I move the privileges drop to the end of file, just before starting the server (and opening the ports), is this okay? Is there any tests for validating the rest?

Regards!!!

@dhilst
Copy link
Author

dhilst commented Jan 17, 2019

#55

@dhilst dhilst closed this as completed Jan 17, 2019
@dhilst
Copy link
Author

dhilst commented Jan 19, 2019

Just a little comment,

There is still a little bug at https://github.com/etingof/pysnmp/blob/master/pysnmp/smi/builder.py#L241. If user hasn't permission to read self._srcName folder an PermissionError is raised. Since permission error is an specialization of OSError the flow controls jump to the pointed line, prior assigning p, this leads to p referenced before assignment error.

This would only happen if you pass a user at --process-user that wasn't the user used to install pysnmp. Is just a matter of passing the right user and everything works.

@etingof
Copy link
Owner

etingof commented Jan 19, 2019

Hmm, is not that p variable assigned unconditionally prior to reading the folder?

@dhilst
Copy link
Author

dhilst commented Jan 19, 2019

Yeah you're right, I was using an old revision, sorry!

Regards!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants