Junos OS

Expand all | Collapse all

Start shell issue

Jump to Best Answer
  • 1.  Start shell issue

     
    Posted 10-27-2017 01:12

    Hi,

    Compared to my last problem, this one should be a very simple one to resolve (I hope).....

     

    From a security perspective, no matter if Juniper or any other system, the following should always be adhered to:

     

    Create new Root password (only by one person). Ensure the password is difficult to guess. Write the password down and seal in Envelope. Mark on envelope the system and lock away in firesafe.  Create users that have super user access. This rule is a must for any company wishing to achieve 27001 or other security certificates.

     

    So, here is my problem. I want to upgrade all of our MX240s to 15.1R6. This is currently on a USB stick. I drop to shell, I check the /dev/da* directory, then I insert the USB Stick, check it again to get the mount point. Now, I want to, for example, complete the following:

     

    mount_msdosfs /dev/da2s1 /var/tmp/usb

     

    And I then get "No permission to complete command" or words to that effect.

     

    So, my quesiton is:

     

    Without logging on as root, how can I configure this so a super user can complete a mount of a USB stick?

     



  • 2.  RE: Start shell issue

    Posted 10-27-2017 02:04

    Not sure if I fully understand your question.

     

    You can go to shell and type su

    It will ask for root authentication password. Type in the root password and you can run all the root privileged command from any other user account.

     

    HTH



  • 3.  RE: Start shell issue

     
    Posted 10-27-2017 09:25

    Sorry, let me re-word the question.... by the way, the answer you gave me is what I was trying to state initially:-

     

    The whole point of security points like "NOT HAVING ACCES TO THE ROOT PASSWORD" is to stop the usage of it. So, what you are telling me (which I knew) goes against ISO27001 and various other security standards..... 

     

    Surely Juniper should be able to allow certain commands like a mount USB to be completed by a super user......

     

    Anyway, thank you  🙂



  • 4.  RE: Start shell issue
    Best Answer

    Posted 10-28-2017 01:47

    I don't think you can mount USB without root access. 

     

     



  • 5.  RE: Start shell issue

     
    Posted 10-30-2017 01:44

    Thank you all for your answers.... much appreciated.

     

    Singhh --- That's my point. It goes against all security established requirements. 

     

    Thank you all



  • 6.  RE: Start shell issue

    Posted 10-27-2017 11:14

    Hi,

     

    I think if you use USB image, the router will reboot by default from USB. No need to mount it. Is it not working in your case?

     

     



  • 7.  RE: Start shell issue

    Posted 10-27-2017 19:09

    For a non-root user the prompt is not typically the FreeBSD shell and is instead the CLI. Although if they have sufficient permissions then those users can switch to the shell via the "start shell", "start shell sh" or "start shell csh" commands etc., although "sh" is really "bash".

    You could also make a user default to ba"sh" or "csh" by setting the hidden configuration knob:
    system {
              login {
                   class shell-user {
                                                permissions [all shell];
                                            }
           user mil {
                           class shell-user;
                      shell sh;
                                      authentication {
                                   encrypted-password "awesome"; ## SECRET-DATA
                                                                          }
                                      }
                            }
                     }
    E.g.
    login as: mil
    Using keyboard-interactive authentication.
    Password:
    --- JUNOS 12.1X46-D40.2 built 2017-10-28 7.25 IST
    $ ps -p $$
    PID TT STAT TIME COMMAND
    19658 p2 Ss 0:00.09 -sh (sh)
    $ cli
    ****************************************************

    Accept it as solution if it resolved your issue.

    Kudos would be apprciated too..