From 5bc188e481db3c245772952fa18a0bc60cf1359a Mon Sep 17 00:00:00 2001
From: Hartmut Brandt <harti@FreeBSD.org>
Date: Tue, 10 Jan 2006 12:08:25 +0000
Subject: [PATCH] Disable default write access by not setting the write
 community string.

PR:		91404, 91406
---
 etc/snmpd.config | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/etc/snmpd.config b/etc/snmpd.config
index bc8b02cf1aea..a8c8e0d6fecd 100644
--- a/etc/snmpd.config
+++ b/etc/snmpd.config
@@ -15,6 +15,7 @@ trapport := 162
 
 # Change this!
 read := "public"
+# Uncomment line 42 that sets the community string to enable write access.
 write := "geheim"
 trap := "mytrap"
 
@@ -25,8 +26,20 @@ trap := "mytrap"
 begemotSnmpdDebugDumpPdus	= 2
 begemotSnmpdDebugSyslogPri	= 7
 
+#
+# Set the read and write communities.
+#
+# The default value of the community strings is NULL (note, that this is
+# different from the empty string). This disables both read and write access.
+# To enable read access only the read community string must be set. Setting
+# the write community string enables both read and write access with that
+# string.
+#
+# Be sure to understand the security implications of SNMPv2 - the community
+# strings are readable on the wire!
+#
 begemotSnmpdCommunityString.0.1	= $(read)
-begemotSnmpdCommunityString.0.2	= $(write)
+# begemotSnmpdCommunityString.0.2	= $(write)
 begemotSnmpdCommunityDisable	= 1
 
 # open standard SNMP ports