Disable default write access by not setting the write community string.

PR:		91404, 91406

1 files changed, 14 insertions, 1 deletions

diff --git a/etc/snmpd.config b/etc/snmpd.config
index bc8b02c..a8c8e0d 100644
--- a/etc/snmpd.config
+++ b/etc/snmpd.config
@@ -15,6 +15,7 @@ trapport := 162
 
 # Change this!
 read := "public"
+# Uncomment line 42 that sets the community string to enable write access.
 write := "geheim"
 trap := "mytrap"
 
@@ -25,8 +26,20 @@ trap := "mytrap"
 begemotSnmpdDebugDumpPdus	= 2
 begemotSnmpdDebugSyslogPri	= 7
 
+#
+# Set the read and write communities.
+#
+# The default value of the community strings is NULL (note, that this is
+# different from the empty string). This disables both read and write access.
+# To enable read access only the read community string must be set. Setting
+# the write community string enables both read and write access with that
+# string.
+#
+# Be sure to understand the security implications of SNMPv2 - the community
+# strings are readable on the wire!
+#
 begemotSnmpdCommunityString.0.1	= $(read)
-begemotSnmpdCommunityString.0.2	= $(write)
+# begemotSnmpdCommunityString.0.2	= $(write)
 begemotSnmpdCommunityDisable	= 1
 
 # open standard SNMP ports