File net-snmp-5.9.4-add-netgroups-functionality.patch of Package net-snmp

commit d047b54f874f392f97ffce8d51f49729e1c78225
Author: Alexander Bergmann <abergmann@suse.com>
Date:   Fri Mar 10 15:23:35 2023 +0100

    Create sub-function to parse source address and network mask
    
    Function netsnmp_udp_resolve_source was introduced to handle the source
    address and network mask parsing into in_addr structures.

diff --git a/snmplib/transports/snmpUDPDomain.c b/snmplib/transports/snmpUDPDomain.c
index 2724cf2191..3ad33d4bc5 100644
--- a/snmplib/transports/snmpUDPDomain.c
+++ b/snmplib/transports/snmpUDPDomain.c
@@ -98,6 +98,58 @@ netsnmp_udp_fmtaddr(netsnmp_transport *t, const void *data, int len)
     return netsnmp_ipv4_fmtaddr("UDP", t, data, len);
 }
 
+static int
+netsnmp_udp_resolve_source(char *source, struct in_addr *network,
+        struct in_addr *mask)
+{
+    /* Split the source/netmask parts */
+    char *strmask = strchr(source, '/');
+    if (strmask != NULL)
+        /* Mask given. */
+        *strmask++ = '\0';
+
+    /* Try interpreting as a dotted quad. */
+   if (inet_pton(AF_INET, source, network) == 0) {
+        /* Nope, wasn't a dotted quad.  Must be a hostname. */
+        int ret = netsnmp_gethostbyname_v4(source, &(network->s_addr));
+        if (ret < 0) {
+            config_perror("cannot resolve source hostname");
+            return ret;
+        }
+    }
+
+    /* Now work out the mask. */
+    if (strmask == NULL || *strmask == '\0') {
+        /* No mask was given. Assume /32 */
+        mask->s_addr = (in_addr_t)(~0UL);
+    } else {
+        /* Try to interpret mask as a "number of 1 bits". */
+        char* cp;
+        long maskLen = strtol(strmask, &cp, 10);
+        if (*cp == '\0') {
+            if (0 < maskLen && maskLen <= 32)
+                mask->s_addr = htonl((in_addr_t)(~0UL << (32 - maskLen)));
+            else if (maskLen == 0)
+                mask->s_addr = 0;
+            else {
+                config_perror("bad mask length");
+                return -1;
+            }
+        }
+        /* Try to interpret mask as a dotted quad. */
+        else if (inet_pton(AF_INET, strmask, mask) == 0) {
+            config_perror("bad mask");
+            return -1;
+        }
+
+        /* Check that the network and mask are consistent. */
+        if (network->s_addr & ~mask->s_addr) {
+            config_perror("source/mask mismatch");
+            return -1;
+        }
+    }
+    return 0;
+}
 
 #if defined(HAVE_IP_PKTINFO) || (defined(HAVE_IP_RECVDSTADDR) && defined(HAVE_IP_SENDSRCADDR))
 
@@ -375,52 +427,10 @@ netsnmp_udp_parse_security(const char *token, char *param)
             negate = 0;
             sourcep = source;
         }
-
-        /* Split the source/netmask parts */
-        strmask = strchr(sourcep, '/');
-        if (strmask != NULL)
-            /* Mask given. */
-            *strmask++ = '\0';
-
-        /* Try interpreting as a dotted quad. */
-        if (inet_pton(AF_INET, sourcep, &network) == 0) {
-            /* Nope, wasn't a dotted quad.  Must be a hostname. */
-            int ret = netsnmp_gethostbyname_v4(sourcep, &network.s_addr);
-            if (ret < 0) {
-                config_perror("cannot resolve IPv4 source hostname");
-                return;
-            }
-        }
-
-        /* Now work out the mask. */
-        if (strmask == NULL || *strmask == '\0') {
-            /* No mask was given. Assume /32 */
-            mask.s_addr = (in_addr_t)(~0UL);
-        } else {
-            /* Try to interpret mask as a "number of 1 bits". */
-            char* cp;
-            long maskLen = strtol(strmask, &cp, 10);
-            if (*cp == '\0') {
-                if (0 < maskLen && maskLen <= 32)
-                    mask.s_addr = htonl((in_addr_t)(~0UL << (32 - maskLen)));
-                else if (0 == maskLen)
-                    mask.s_addr = 0;
-                else {
-                    config_perror("bad mask length");
-                    return;
-                }
-            }
-            /* Try to interpret mask as a dotted quad. */
-            else if (inet_pton(AF_INET, strmask, &mask) == 0) {
-                config_perror("bad mask");
-                return;
-            }
-
-            /* Check that the network and mask are consistent. */
-            if (network.s_addr & ~mask.s_addr) {
-                config_perror("source/mask mismatch");
-                return;
-            }
+        /* Parse source address and network mask. */
+        if(netsnmp_udp_resolve_source(sourcep, &network, &mask)) {
+            config_perror("source address/network mask parsing issue");
+            return;
         }
     }
 
commit a2559914d8d8132f155a81c0852cbbd2090d2d40
Author: Alexander Bergmann <abergmann@suse.com>
Date:   Fri Mar 10 15:25:10 2023 +0100

    Create sub-function to check the com2SecEntry_create return code
    
    The return code interpretation of the netsnmp_udp_com2SecEntry_create
    function is now done inside a new sub-function.

diff --git a/snmplib/transports/snmpUDPDomain.c b/snmplib/transports/snmpUDPDomain.c
index 3ad33d4bc5..5904a1b423 100644
--- a/snmplib/transports/snmpUDPDomain.c
+++ b/snmplib/transports/snmpUDPDomain.c
@@ -346,6 +346,33 @@ netsnmp_udp_com2SecEntry_create(com2SecEntry **entryp, const char *community,
     return C2SE_ERR_SUCCESS;
 }
 
+void
+netsnmp_udp_com2SecEntry_check_return_code(int rc)
+{
+    /*
+     * Check return code of the newly created com2Sec entry.
+     */
+    switch(rc) {
+        case C2SE_ERR_SUCCESS:
+            break;
+        case C2SE_ERR_CONTEXT_TOO_LONG:
+            config_perror("context name too long");
+            break;
+        case C2SE_ERR_COMMUNITY_TOO_LONG:
+            config_perror("community name too long");
+            break;
+        case C2SE_ERR_SECNAME_TOO_LONG:
+            config_perror("security name too long");
+            break;
+        case C2SE_ERR_MASK_MISMATCH:
+            config_perror("source/mask mismatch");
+            break;
+        case C2SE_ERR_MISSING_ARG:
+        default:
+            config_perror("unexpected error; could not create com2SecEntry");
+    }
+}
+
 void
 netsnmp_udp_parse_security(const char *token, char *param)
 {
@@ -440,25 +467,7 @@ netsnmp_udp_parse_security(const char *token, char *param)
      */
     rc = netsnmp_udp_com2SecEntry_create(NULL, community, secName, contextName,
                                          &network, &mask, negate);
-    switch(rc) {
-        case C2SE_ERR_SUCCESS:
-            break;
-        case C2SE_ERR_CONTEXT_TOO_LONG:
-            config_perror("context name too long");
-            break;
-        case C2SE_ERR_COMMUNITY_TOO_LONG:
-            config_perror("community name too long");
-            break;
-        case C2SE_ERR_SECNAME_TOO_LONG:
-            config_perror("security name too long");
-            break;
-        case C2SE_ERR_MASK_MISMATCH:
-            config_perror("source/mask mismatch");
-            break;
-        case C2SE_ERR_MISSING_ARG:
-        default:
-            config_perror("unexpected error; could not create com2SecEntry");
-    }
+    netsnmp_udp_com2SecEntry_check_return_code(rc);
 }
 
 void
commit 20e2bb7d75c391f5cfde1eb8b8676aff68f3a5f5
Author: Alexander Bergmann <abergmann@suse.com>
Date:   Fri Mar 10 15:31:41 2023 +0100

    Add '@' netgroup functionality
    
    Allow access control via netgroups defined in /etc/netgroup or NIS/LDAP
    via the '@' sign inside the configuration file. Same as IP addresses and
    host names.

diff --git a/configure b/configure
index 575b60c4d2..82414664cf 100755
--- a/configure
+++ b/configure
@@ -31221,6 +31221,12 @@ if test "x$ac_cv_func_closedir" = xyes
 then :
   printf "%s\n" "#define HAVE_CLOSEDIR 1" >>confdefs.h
 
+fi
+ac_fn_c_check_func "$LINENO" "endnetgrent" "ac_cv_func_endnetgrent"
+if test "x$ac_cv_func_endnetgrent" = xyes
+then :
+  printf "%s\n" "#define HAVE_ENDNETGRENT 1" >>confdefs.h
+
 fi
 ac_fn_c_check_func "$LINENO" "fgetc_unlocked" "ac_cv_func_fgetc_unlocked"
 if test "x$ac_cv_func_fgetc_unlocked" = xyes
@@ -31257,6 +31263,12 @@ if test "x$ac_cv_func_getlogin" = xyes
 then :
   printf "%s\n" "#define HAVE_GETLOGIN 1" >>confdefs.h
 
+fi
+ac_fn_c_check_func "$LINENO" "getnetgrent" "ac_cv_func_getnetgrent"
+if test "x$ac_cv_func_getnetgrent" = xyes
+then :
+  printf "%s\n" "#define HAVE_GETNETGRENT 1" >>confdefs.h
+
 fi
 ac_fn_c_check_func "$LINENO" "if_nametoindex" "ac_cv_func_if_nametoindex"
 if test "x$ac_cv_func_if_nametoindex" = xyes
@@ -31305,6 +31317,12 @@ if test "x$ac_cv_func_setlocale" = xyes
 then :
   printf "%s\n" "#define HAVE_SETLOCALE 1" >>confdefs.h
 
+fi
+ac_fn_c_check_func "$LINENO" "setnetgrent" "ac_cv_func_setnetgrent"
+if test "x$ac_cv_func_setnetgrent" = xyes
+then :
+  printf "%s\n" "#define HAVE_SETNETGRENT 1" >>confdefs.h
+
 fi
 ac_fn_c_check_func "$LINENO" "setsid" "ac_cv_func_setsid"
 if test "x$ac_cv_func_setsid" = xyes
diff --git a/configure.d/config_os_functions b/configure.d/config_os_functions
index b921f8cd7b..0915928e21 100644
--- a/configure.d/config_os_functions
+++ b/configure.d/config_os_functions
@@ -25,12 +25,14 @@ AC_TYPE_SIGNAL
 AC_CHECK_FUNCS([rand   random srand srandom lrand48 srand48])
 
 #  Library:
-AC_CHECK_FUNCS([asprintf        closedir        fgetc_unlocked   ] dnl
+AC_CHECK_FUNCS([asprintf        closedir        endnetgrent      ] dnl
+               [fgetc_unlocked                                   ] dnl
                [flockfile       funlockfile     getipnodebyname  ] dnl
-               [gettimeofday    getlogin                         ] dnl
+               [gettimeofday    getlogin        getnetgrent      ] dnl
                [if_nametoindex  mkstemp                          ] dnl
                [opendir         readdir         regcomp          ] dnl
                [setenv          setitimer       setlocale        ] dnl
+               [setnetgrent                                      ] dnl
                [setsid          snprintf        strcasestr       ] dnl
                [strdup          strerror        strncasecmp      ] dnl
                [sysconf         times           vsnprintf        ] )
diff --git a/include/net-snmp/net-snmp-config.h.in b/include/net-snmp/net-snmp-config.h.in
index 89b2ca116d..5efbf12400 100644
--- a/include/net-snmp/net-snmp-config.h.in
+++ b/include/net-snmp/net-snmp-config.h.in
@@ -183,6 +183,9 @@
 /* Define to 1 if you have the `endfsent' function. */
 #undef HAVE_ENDFSENT
 
+/* Define to 1 if you have the `endnetgrent' function. */
+#undef HAVE_ENDNETGRENT
+
 /* Define to 1 if you have the `ERR_get_error_all' function. */
 #undef HAVE_ERR_GET_ERROR_ALL
 
@@ -294,6 +297,9 @@
 /* Define to 1 if you have the `getmntinfo' function. */
 #undef HAVE_GETMNTINFO
 
+/* Define to 1 if you have the `getnetgrent' function. */
+#undef HAVE_GETNETGRENT
+
 /* Define to 1 if you have the `getopt' function. */
 #undef HAVE_GETOPT
 
@@ -883,6 +889,9 @@
 /* Define to 1 if you have the `setmntent' function. */
 #undef HAVE_SETMNTENT
 
+/* Define to 1 if you have the `setnetgrent' function. */
+#undef HAVE_SETNETGRENT
+
 /* Define to 1 if you have the `setsid' function. */
 #undef HAVE_SETSID
 
diff --git a/man/snmpd.conf.5.def b/man/snmpd.conf.5.def
index 2a9abd5b51..6060ed51d1 100644
--- a/man/snmpd.conf.5.def
+++ b/man/snmpd.conf.5.def
@@ -434,6 +434,14 @@ com2sec sec1 10.0.0.0/8 public
 .IP
 Access from outside of 10.0.0.0/8 would still be denied.
 .IP
+It is also possible to reference a specific \fInetgroup\fR starting with an
+'@' character (e.g.  @adminhosts). The \fInetgroup\fR lookup is running
+through the NSS (Name Services Switch) making it possible to define the
+group locally or via NIS/LDAP.
+.IP
+Note: The hostname DNS lookup and \fInetgroup\fR resolution is done only
+during snmpd start or reload.
+.IP
 The same community string can be specified in several separate directives
 (presumably with different source tokens), and the first source/community
 combination that matches the incoming request will be selected.
diff --git a/snmplib/transports/snmpUDPDomain.c b/snmplib/transports/snmpUDPDomain.c
index 5904a1b423..8f98398704 100644
--- a/snmplib/transports/snmpUDPDomain.c
+++ b/snmplib/transports/snmpUDPDomain.c
@@ -445,6 +445,10 @@ netsnmp_udp_parse_security(const char *token, char *param)
         network.s_addr = 0;
         mask.s_addr = 0;
         negate = 0;
+        /* Create a new com2Sec entry. */
+        rc = netsnmp_udp_com2SecEntry_create(NULL, community, secName, contextName,
+                                             &network, &mask, negate);
+        netsnmp_udp_com2SecEntry_check_return_code(rc);
     } else {
         char *strmask;
         if (*source == '!') {
@@ -454,20 +458,44 @@ netsnmp_udp_parse_security(const char *token, char *param)
             negate = 0;
             sourcep = source;
         }
-        /* Parse source address and network mask. */
-        if(netsnmp_udp_resolve_source(sourcep, &network, &mask)) {
-            config_perror("source address/network mask parsing issue");
-            return;
+#if HAVE_ENDNETGRENT && HAVE_GETNETGRENT && HAVE_SETNETGRENT
+        /* Interpret as netgroup */
+        if (*sourcep == '@') {
+            char *netgroup = sourcep+1;
+            char *host, *user, *domain;
+            if(setnetgrent(netgroup)) {
+                while (getnetgrent(&host, &user, &domain)) {
+                    /* Parse source address and network mask for each netgroup host. */
+                    if (netsnmp_udp_resolve_source(host, &network, &mask) == 0) {
+                        /* Create a new com2Sec entry. */
+                        rc = netsnmp_udp_com2SecEntry_create(NULL, community, secName, contextName,
+                                                             &network, &mask, negate);
+                        netsnmp_udp_com2SecEntry_check_return_code(rc);
+                    } else {
+                        config_perror("netgroup host address parsing issue");
+                        break;
+                    }
+                }
+                endnetgrent();
+            } else {
+                config_perror("netgroup could not be found");
+            }
+        }
+        /* Without '@' it has to be an address or hostname */
+        else
+#endif
+        {
+            /* Parse source address and network mask. */
+            if(netsnmp_udp_resolve_source(sourcep, &network, &mask) == 0) {
+                /* Create a new com2Sec entry. */
+                rc = netsnmp_udp_com2SecEntry_create(NULL, community, secName, contextName,
+                                                     &network, &mask, negate);
+                netsnmp_udp_com2SecEntry_check_return_code(rc);
+            } else {
+                config_perror("source address/network mask parsing issue");
+            }
         }
     }
-
-    /*
-     * Everything is okay.  Copy the parameters to the structure allocated
-     * above and add it to END of the list.
-     */
-    rc = netsnmp_udp_com2SecEntry_create(NULL, community, secName, contextName,
-                                         &network, &mask, negate);
-    netsnmp_udp_com2SecEntry_check_return_code(rc);
 }
 
 void
openSUSE Build Service is sponsored by