snmpsim import error while running with root

[dhilst]

Hi

I'm trying to use snmpsim to simulate response from a switch. I need to open 161 port to get the management end fooled by snmpsim. I ran it as normal user without problems but when I ran it as root it gives-me an error.

(snmpsim-env) [root@management ~]# snmpsimd.py --data-dir ./data --agent-udpv4-endpoint=192.168.123.2:1611 --process-user=nobody --process-group=nobody
Scanning "/root/.snmpsim/variation" directory for variation modules...
Directory "/root/.snmpsim/variation" does not exist
Scanning "/root/snmpsim-env/snmpsim/variation" directory for variation modules...
Directory "/root/snmpsim-env/snmpsim/variation" does not exist
Scanning "/root/snmpsim-env/share/snmpsim/variation" directory for variation modules...
Directory "/root/snmpsim-env/share/snmpsim/variation" does not exist
Scanning "/root/snmpsim-env/lib/python2.7/site-packages/snmpsim/variation" directory for variation modules...
Directory "/root/snmpsim-env/lib/python2.7/site-packages/snmpsim/variation" does not exist
ERROR: SNMPv3 Engine initialization failed, EngineID "auto": local variable 'p' referenced before assignment
(snmpsim-env) [root@management ~]#

Regards

[dhilst]

I tried to run this on Fedora with python3 and 2, and on Centos7 with python 2. In both distros it works with normal user but doesn't with root. The nobody group is present on both systems.

Here is pip freeze

(snmpsim-env) [root@management ~]# pip freeze
ply==3.11
pyasn1==0.4.5
pycryptodomex==3.7.2
pysmi==0.3.3
pysnmp==4.4.8
snmpsim==0.4.5

[etingof]

I can't reproduce this issue so far. Is there any traceback revealing line number? Or may be you could run snmpsimd with --debug all in hope that this will give us more hints on where exactly it fails?

[dhilst]

I can get a stack trace for you, I track it down to the pysnmp, an import error happens at ZipMibBuider or something like this. I send it to you tonight! (I'm not in home now)

[dhilst]

ImportError here https://github.com/etingof/pysnmp/blob/master/pysnmp/smi/builder.py#L161 and them it follows to https://github.com/etingof/pysnmp/blob/master/pysnmp/smi/builder.py#L229 where listdir fails before p is assigned, and is referred here: https://github.com/etingof/pysnmp/blob/master/pysnmp/smi/builder.py#L239

I was trying to get something alike with normal user but it seems to take totally different path. I notice that ZipMibSource was never invoked with user. The same break points aren't reached. What I could see is that with root it enters at https://github.com/etingof/snmpsim/blob/master/scripts/snmpsimd.py#L1200 where the user doesn't. It could be something on my environment? I have a VM where is triggering this behavior, I can share with you.

[dhilst]

Here it is:

(snmpsim) [root@localhost ~]# snmpsimd.py --data-dir ./data --agent-udpv4-endpoint=192.168.123.1:1611 --process-user=nobody --process-group=nobody
Scanning "/root/.snmpsim/variation" directory for variation modules...
Directory "/root/.snmpsim/variation" does not exist
Scanning "/root/snmpsim/snmpsim/variation" directory for variation modules...
Directory "/root/snmpsim/snmpsim/variation" does not exist
Scanning "/root/snmpsim/share/snmpsim/variation" directory for variation modules...
Directory "/root/snmpsim/share/snmpsim/variation" does not exist
Scanning "/root/snmpsim/lib64/python3.6/site-packages/snmpsim/variation" directory for variation modules...
Directory "/root/snmpsim/lib64/python3.6/site-packages/snmpsim/variation" does not exist
> /root/snmpsim/lib64/python3.6/site-packages/pysnmp/smi/builder.py(240)_getData()
(Pdb) bt
  /root/snmpsim/bin/snmpsimd.py(1363)<module>()
  /root/snmpsim/lib64/python3.6/site-packages/pysnmp/entity/engine.py(63)__init__()
  /root/snmpsim/lib64/python3.6/site-packages/pysnmp/proto/rfc3412.py(32)__init__()
  /root/snmpsim/lib64/python3.6/site-packages/pysnmp/smi/builder.py(381)loadModules()
  /root/snmpsim/lib64/python3.6/site-packages/pysnmp/smi/builder.py(321)loadModule()
  /root/snmpsim/lib64/python3.6/site-packages/pysnmp/smi/builder.py(81)read()
> /root/snmpsim/lib64/python3.6/site-packages/pysnmp/smi/builder.py(240)_getData()
(Pdb) why
PermissionError(13, 'Permission denied')
(Pdb) 

[dhilst]

This may be useful too:

(Pdb) self._srcName
'pysnmp.smi.mibs'
(Pdb) 

[etingof]

Thank you for the thorough report! This reminds me that we've had similar problem in OpenStack...

Commit https://github.com/etingof/pysnmp/commit/fd7f6a77764a32608d35d36f7b7b4a638c536b14 in the release-4.4.9 branch should have fixed this problem.

I wonder if you could give it a try before I make a release?

[dhilst]

For sure! I will ask you some patience since my Fedora died at the last update, I still have the VMs, as soon as I have my desk up to date I check it out for you. Regards!

[etingof]

No worries, take your time!

[dhilst]

I have another problem right now, the release-4.4.9. dropPrivileges('nobody, 'nobody') break SnmpEngine()

(snmpsim-env) [root@localhost ~]# python
Python 3.7.2 (default, Jan  3 2019, 09:14:01) 
[GCC 8.2.1 20181215 (Red Hat 8.2.1-6)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pysnmp.entity.engine import SnmpEngine
>>> from snmpsim.daemon import dropPrivileges
>>> 
>>> SnmpEngine()
SnmpEngine(snmpEngineID=<SnmpEngineID value object at 0x7fd6ac757198 tagSet <TagSet object at 0x7fd6af2dcc88 tags 0:0:4> subtypeSpec <ConstraintsIntersection object at 0x7fd6ac757358 consts <ValueSizeConstraint object at 0x7fd6af2b8080 consts 0, 65535>, <ValueSizeConstraint object at 0x7fd6ac757320 consts 5, 32>> encoding iso-8859-1 payload [0x80004fb8056c6f...63616c6413be2f88]>)
>>> 
>>> 
>>> dropPrivileges('nobody', 'nobody')
>>> SnmpEngine()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/root/snmpsim-env/lib64/python3.7/site-packages/pysnmp/entity/engine.py", line 91, in __init__
  File "/root/snmpsim-env/lib64/python3.7/site-packages/pysnmp/smi/builder.py", line 426, in importSymbols
pysnmp.smi.error.MibNotFoundError: No module __SNMP-FRAMEWORK-MIB loaded at <pysnmp.smi.builder.MibBuilder object at 0x7fd6ac770be0>
>>> 

[dhilst]

This is a better way of running the test:

from unittest import TestCase, main

from snmpsim.daemon import dropPrivileges
from pysnmp.entity.engine import SnmpEngine

class DropPrivileges(TestCase):
    def test_dropPrivileges(self):
        'SnmpEngine should work after dropping privileges' 
        dropPrivileges('nobody', 'nobody')
        SnmpEngine()

if __name__ == '__main__':
    main(verbosity=2)

[dhilst]

I just created a pull request, for this. I move the privileges drop to the end of file, just before starting the server (and opening the ports), is this okay? Is there any tests for validating the rest?

Regards!!!

[dhilst]

55

[dhilst]

Just a little comment,

There is still a little bug at https://github.com/etingof/pysnmp/blob/master/pysnmp/smi/builder.py#L241. If user hasn't permission to read self._srcName folder an PermissionError is raised. Since permission error is an specialization of OSError the flow controls jump to the pointed line, prior assigning p, this leads to p referenced before assignment error.

This would only happen if you pass a user at --process-user that wasn't the user used to install pysnmp. Is just a matter of passing the right user and everything works.

[etingof]

Hmm, is not that p variable assigned unconditionally prior to reading the folder?

[dhilst]

Yeah you're right, I was using an old revision, sorry!

Regards!