SRX

Hello everyone,

Last evening i was looking to set up a RO account for a friend of mine.

After creating the account i obviously tested it and i realised that when loging-in i get in the Operational mode, as expected, but if i do a simple "?" i see i have access to commands like "clear", "file", "load","request", "save", "set" along with the desired "show"

I was wondering if it was a normal behavior that a RO account could make a "request wlan restart ap"

I would have expected the RO to permit only show commands...

Can anyone give me sone insight on this behavior of the class "read-only" ?

Cheers

Andy

Did you try actually running any of those commands?  They must just be displayed in the context help, but an RO account shouldn't be able to execute them.

Last night it accepted the "request reload wlan" command and gave no error message back, though i am not sure it accomplished it.

I will doublecheck it tonight by trying this command from a laptop and see if i cut my own access 🙂

I'll post  the results later

Thanks for having made me think an interesting way to test it 😛

Very, interesting and quite worrisome :

i configured a RO user :

        user occasus {
            uid 2001;
            class read-only;

I logged in and tried the "?" and then the "request wlan access-point restart ap-1" and here are the results:

occasus@AltaBadia> ?
Possible completions:
  file                 Perform file operations
  help                 Provide help information
  load                 Load information from file
  op                   Invoke an operation script
  quit                 Exit the management session
  request              Make system-level requests
  save                 Save information to file
  set                  Set CLI properties, date/time, craft interface message
  show                 Show system information
  start                Start shell
  test                 Perform diagnostic debugging
occasus@AltaBadia>
occasus@AltaBadia> request wlan access-point restart raven-ap1
Successfully restarted the access point.

occasus@AltaBadia>

 And the ap-1 restarted indeed as my iPad lost connectivity (it was on wifi on one of the SSIDs of the AP-1)

In my oppinion this is very worrysome as i believe it could be a door open to tinkering with the SRX... especially with the "file" and/or "load"...

If possible, it would be great, at this point, to have someone from Juniper to confirm (or infirm) that this is a desired behavior of the RO class.

Cheers

Andy

That seems...  broken.

According to the documentation a read-only user should only have access to "view" commands.

I'd open a case with JTAC.

This is indeed the reason of my first posting here.

I was thinking it was indeed not normal but as i usually work via TACACS i wasn't so sure if it wasn't something desired

Thanks 🙂

After a quick chat with the JTAC it appears that it is a normal behavior.

Personally i am still a bit surprised that a RO account using the standard read-only class is able to restart an AP on the SRX, but as it seems a normal behavior i will just create a custom class removing that possibility 🙂

Wow, that's surprising (and misleading, according to their documentation).

Good to know for future reference.