SRX

  • 1.  SRX 240H login class permissions

    Posted 05-04-2011 01:53

    Hello everyone,

     

    Last evening i was looking to set up a RO account for a friend of mine.

    After creating the account i obviously tested it and i realised that when loging-in i get in the Operational mode, as expected, but if i do a simple "?" i see i have access to commands like "clear", "file", "load","request", "save", "set" along with the desired "show"

     

    I was wondering if it was a normal behavior that a RO account could make a "request wlan restart ap"

    I would have expected the RO to permit only show commands...

     

    Can anyone give me sone insight on this behavior of the class "read-only" ?

     

    Cheers

    Andy



  • 2.  RE: SRX 240H login class permissions

    Posted 05-04-2011 08:38

    Did you try actually running any of those commands?  They must just be displayed in the context help, but an RO account shouldn't be able to execute them.



  • 3.  RE: SRX 240H login class permissions

    Posted 05-04-2011 09:11

    Last night it accepted the "request reload wlan" command and gave no error message back, though i am not sure it accomplished it.

    I will doublecheck it tonight by trying this command from a laptop and see if i cut my own access 🙂

    I'll post  the results later

     

    Thanks for having made me think an interesting way to test it 😛



  • 4.  RE: SRX 240H login class permissions

    Posted 05-04-2011 11:50

    Very, interesting and quite worrisome :

     

    i configured a RO user :

     

            user occasus {
                uid 2001;
                class read-only;

     

     

    I logged in and tried the "?" and then the "request wlan access-point restart ap-1" and here are the results:

     

    occasus@AltaBadia> ?
    Possible completions:
      file                 Perform file operations
      help                 Provide help information
      load                 Load information from file
      op                   Invoke an operation script
      quit                 Exit the management session
      request              Make system-level requests
      save                 Save information to file
      set                  Set CLI properties, date/time, craft interface message
      show                 Show system information
      start                Start shell
      test                 Perform diagnostic debugging
    occasus@AltaBadia>
    occasus@AltaBadia> request wlan access-point restart raven-ap1
    Successfully restarted the access point.
    
    occasus@AltaBadia>

     And the ap-1 restarted indeed as my iPad lost connectivity (it was on wifi on one of the SSIDs of the AP-1)

     

    In my oppinion this is very worrysome as i believe it could be a door open to tinkering with the SRX... especially with the "file" and/or "load"...

     

    If possible, it would be great, at this point, to have someone from Juniper to confirm (or infirm) that this is a desired behavior of the RO class.

     

     

    Cheers

    Andy



  • 5.  RE: SRX 240H login class permissions
    Best Answer

    Posted 05-04-2011 12:00

    That seems...  broken.

     

    According to the documentation a read-only user should only have access to "view" commands.

     

    I'd open a case with JTAC.



  • 6.  RE: SRX 240H login class permissions

    Posted 05-04-2011 12:11

    This is indeed the reason of my first posting here.

    I was thinking it was indeed not normal but as i usually work via TACACS i wasn't so sure if it wasn't something desired

    Thanks 🙂



  • 7.  RE: SRX 240H login class permissions

    Posted 05-06-2011 02:43

    After a quick chat with the JTAC it appears that it is a normal behavior.

     

    Personally i am still a bit surprised that a RO account using the standard read-only class is able to restart an AP on the SRX, but as it seems a normal behavior i will just create a custom class removing that possibility 🙂



  • 8.  RE: SRX 240H login class permissions

    Posted 05-06-2011 11:06

    Wow, that's surprising (and misleading, according to their documentation).

     

    Good to know for future reference.