Use capabilities for enabling SNMP trap collection

ntop · Sep 3, 2024 · 4d80bb1 · 4d80bb1
1 parent a3261ed
commit 4d80bb1
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 18 deletions.
diff --git a/src/Ntop.cpp b/src/Ntop.cpp
@@ -1080,26 +1080,39 @@ void Ntop::loadMacManufacturers(char *dir) {
 /* ******************************************* */
 
 #ifdef HAVE_SNMP_TRAP
-/* Note: this is always called on init as socket should be created before changing user */
 void Ntop::initSNMPTrapCollector() {
+  if (trap_collector != NULL) return; /* already initialized */
+
+  ntop->getTrace()->traceEvent(TRACE_NORMAL, "Initializing SNMP Trap collector");
+
+#if !defined(__APPLE__) && !defined(__FreeBSD__) && !defined(WIN32) && \
+    !defined(HAVE_NEDGE)
+  if (Utils::gainWriteCapabilities() == -1)
+    ntop->getTrace()->traceEvent(TRACE_ERROR,
+                                 "Unable to enable capabilities");
+#endif
+
   try {
     trap_collector = new SNMPTrap();
   } catch(...) {
-    /* Likely running tests on pcaps or no privileges (avoid level=error as it breaks regression tests) */
-    ntop->getTrace()->traceEvent(TRACE_INFO, "Support for SNMP traps is disabled (requires privileges)");
+    ntop->getTrace()->traceEvent(TRACE_ERROR, "Unable to initialize SNMP traps collector");
   }
 
-  if (!trap_collector)
-    return;
-
-  if (ntop->getPrefs()->isSNMPTrapEnabled())
-    trap_collector->startTrapCollection();
+#if !defined(__APPLE__) && !defined(__FreeBSD__) && !defined(WIN32) && \
+    !defined(HAVE_NEDGE)
+  Utils::dropWriteCapabilities();
+#endif
 }
 
 /* ******************************************* */
 
 void Ntop::toggleSNMPTrapCollector(bool enable) {
-  if (!trap_collector) return;
+  if (trap_collector == NULL) {
+    initSNMPTrapCollector();
+
+    if (trap_collector == NULL)
+      return;
+  }
 
   if (enable) {
     trap_collector->startTrapCollection();

diff --git a/src/Utils.cpp b/src/Utils.cpp
@@ -29,7 +29,7 @@
 #include <ifaddrs.h>
 #endif
 
-// #define TRACE_CEPABILITIES
+// #define TRACE_CAPABILITIES
 
 static const char *hex_chars = "0123456789ABCDEF";
 
@@ -126,10 +126,10 @@ typedef struct {
 #include <sys/prctl.h>
 
 static cap_value_t cap_values[] = {
-    CAP_DAC_OVERRIDE, /* Bypass file read, write, and execute permission checks
-                       */
-    CAP_NET_ADMIN,    /* Perform various network-related operations */
-    CAP_NET_RAW       /* Use RAW and PACKET sockets */
+  CAP_DAC_OVERRIDE,    /* Bypass file read, write, and execute permission checks */
+  CAP_NET_ADMIN,       /* Perform various network-related operations */
+  CAP_NET_RAW,         /* Use RAW and PACKET sockets */
+  CAP_NET_BIND_SERVICE /* Listen on non-privileges ports (e.g. UDP 162 for traps) */
 };
 
 int num_cap = sizeof(cap_values) / sizeof(cap_value_t);
@@ -3912,7 +3912,7 @@ int Utils::retainWriteCapabilities() {
 
   rc = cap_set_proc(caps);
   if (rc == 0) {
-#ifdef TRACE_CEPABILITIES
+#ifdef TRACE_CAPABILITIES
     ntop->getTrace()->traceEvent(
         TRACE_NORMAL, "[CAPABILITIES] INITIAL SETUP [%s][num_cap: %u]",
         cap_to_text(caps, NULL), num_cap);
@@ -3970,7 +3970,7 @@ static int _setWriteCapabilities(int enable) {
 
   caps = cap_get_proc();
   if (caps) {
-#ifdef TRACE_CEPABILITIES
+#ifdef TRACE_CAPABILITIES
     ntop->getTrace()->traceEvent(TRACE_NORMAL,
                                  "[CAPABILITIES] BEFORE [enable: %u][%s]",
                                  enable, cap_to_text(caps, NULL));
@@ -3986,7 +3986,7 @@ static int _setWriteCapabilities(int enable) {
       ntop->getTrace()->traceEvent(TRACE_WARNING, "Capabilities cap_set_proc error: %s [enable: %u]",
 				   strerror(errno), enable);
     else {
-#ifdef TRACE_CEPABILITIES
+#ifdef TRACE_CAPABILITIES
       ntop->getTrace()->traceEvent(TRACE_NORMAL,
                                    "[CAPABILITIES] Capabilities %s [rc: %d]",
                                    enable ? "ENABLE" : "DISABLE", rc);

diff --git a/src/main.cpp b/src/main.cpp
@@ -391,7 +391,8 @@ int main(int argc, char *argv[])
   ntop->loadMacManufacturers(prefs->get_docs_dir());
   ntop->loadTrackers();
 #ifdef HAVE_SNMP_TRAP
-  ntop->initSNMPTrapCollector();
+  if (prefs->isSNMPTrapEnabled())
+    ntop->toggleSNMPTrapCollector(true);
 #endif
 
   /* Register the HTTP server before dropping the privileges. This is required