Customizing Account Privileges
Problem
You want to create a custom privilege class to define the operations and actions a user can perform while logged in to the router.
Solution
Create a privilege class that allows users to read but not modify the configuration and then let them perform all operational mode commands:
[edit system login] aviva@router1# set class operator-plus-read-config permissions [ admin clear configure floppy interface network reset routing shell snmp system trace view maintenance firewall rollback security ]
Discussion
When you set up login accounts on the router (see Recipe 2.5), each account must have a privilege level, or class, which defines the operations and actions the user can and cannot perform on the router. Each privilege level consists of a collection of permission bits that specifies what a user is allowed to do. Table 2-1 lists all the permission bits.
|
Permission |
Bit name |
|---|---|
|
All (superuser) |
all (can perform all actions) |
|
Delete data from system log, tracing, and other files |
clear (using the clear commands) |
|
All control-level operations (bits ending in -control) |
control (can view and change all portions of the configuration) |
|
Configure the router |
configure (using the configure and commit commands) |
|
Access removable media |
floppy |
|
Halt and reboot the router; start a shell and become superuser |
maintenance (using the request system commands, and using the CLI start shell command and the su root command) |
|
Access the network |
network (using the ping, ssh, telnet, and TRaceroute commands) |
|
Start and stop software processes |
reset (using the restart command, and configure at [edit system processes]) |
|
Return to previous configuration |
rollback (using the rollback command) |
|
Start a local shell |
shell (using the start shell command) |
|
Display router, routing table, and protocol values |
view (using the show commands) |
|
User account information ( login classes, user IDs) |
admin (read-only, using the show configuration command) admin-control (read, and configure at [edit system login]) |
|
Firewall filters |
firewall (read-only, using the show configuration command) firewall-control (read, and configure at [edit firewall]) |
|
Interfaces, chassis, class of service, forwarding options |
interface (read-only, using the show configuration command) interface-control (read, and configure at [edit interfaces], [edit chassis], [edit class-of-service], [edit forwarding-options]) |
|
Routing, routing protocols, routing policy |
routing (read-only, using the show configuration command) routing-control (read, and configure at [edit routing], [edit routing-options], [edit policy-options]) |
|
Passwords and authentication keys |
secret (read-only, using the show configuration command) secret-control (read and configure) |
|
IPSec security |
security (read-only, using the show configuration command) security-control (read, and configure at [edit security]) |
|
SNMP |
snmp (read-only, using the show configuration command) snmp-control (read, and configure at [edit snmp]) |
|
Router name, RADIUS, TACACS+, NTP, and other system-wide information |
system (read-only, using the show configuration command) system-control (read, and configure at [edit system]) |
|
Tracing and trace files |
trace (read tracing files and configuration using the show configuration command) trace-control (read and configure) |
Notice that some bits have two forms, a "simple" form, which gives read-only permission, and a -control form, which gives read and write permission. Except for the all bit (which grants all permissions) and the control bit (which grants read/write permission to the entire configuration), the permission bits are not cumulative, so when you create a custom privilege class, you must list all the bits that apply. Always include the view bit so users can use the show commands in operational mode. If you want users to be able to modify the configuration, include the configure bit.
The JUNOS software has four built-in privilege levels:
superuser or super-user
Can perform any operations on the router (equivalent to the all permission bit). This is similar to the Unix superuser.
operator
Can perform all actions in operational mode available with the clear, network, reset, trace, and view permission bits. Cannot display or alter the configuration and cannot shut down or reboot the router.
read-only
Can perform all actions in operational mode available with the view permission bit to show information about the router or network. Cannot perform any operations that delete or change files or file contents, clear statistics, or change the information on the router.
unauthorized
Can log in to the router but cannot perform any operations on the router except to log out.
The default privilege levels are not explicitly defined in the configuration, but if you did configure them, the first three would look like this:
[edit system login] aviva@router1# set class superuser permissions all aviva@router1# set class read-only permissions view aviva@router1# set class operator permissions [clear network reset trace view]
There is no way to explicitly configure the unauthorized level.
The command in this recipe defines a custom privilege class that allows users to perform all operational mode commands and to read but not modify the configuration. The clear, network, reset, trace, and view permission bits allow this class to use all operational mode commands. The configure bit allows this class to issue the configure command to enter configuration. The remaining bits are all the read-only bits that allow this class to use the show command in configuration mode. Users in this class can view all the contents of the configuration file except for passwords and keys (we have omitted the secret bit). Because this class has no - control bits, users can't change the configuration, even though the configure bit allows them to issue the commit command:
[edit] aviva@router1# set unknown command
To find out what privileges you have, use the show cli authorization command. Here is a user with superuser privileges:
aviva@router1> show cli authorization Current user: 'aviva' class 'superuser' Permissions: admin -- Can view user accounts admin-control-- Can modify user accounts clear -- Can clear learned network information configure -- Can enter configuration mode control -- Can modify any configuration edit -- Can edit full files field -- Special for field (debug) support floppy -- Can read and write from the floppy interface -- Can view interface configuration interface-control-- Can modify interface configuration network -- Can access the network reset -- Can reset/restart interfaces and daemons routing -- Can view routing configuration routing-control-- Can modify routing configuration shell -- Can start a local shell snmp -- Can view SNMP configuration snmp-control-- Can modify SNMP configuration system -- Can view system configuration system-control-- Can modify system configuration trace -- Can view trace file settings trace-control-- Can modify trace file settings view -- Can view current values and statistics maintenance -- Can become the super-user firewall -- Can view firewall configuration firewall-control-- Can modify firewall configuration secret -- Can view secret configuration secret-control-- Can modify secret configuration rollback -- Can rollback to previous configurations security -- Can view security configuration security-control-- Can modify security configuration access -- Can view access configuration access-control-- Can modify access configuration view-configuration-- Can view all configuration (not including secrets) Individual command authorization: Allow regular expression: none Deny regular expression: none Allow configuration regular expression: none Deny configuration regular expression: none
Here is a user with operator privileges:
mike@router1> show cli authorization Current user: 'mike' class 'operator' Permissions: clear -- Can clear learned network information network -- Can access the network reset -- Can reset/restart interfaces and daemons trace -- Can view trace file settings view -- Can view current values and statistics Individual command authorization: Allow regular expression: none Deny regular expression: none Allow configuration regular expression: none Deny configuration regular expression: none
If you do not have permission to perform an operation, you are either "blind" to that operation or you see some type of indication that you cannot perform it. If you try to view the configuration without permission, you see the following warnings:
aviva@router1> show configuration version /* ACCESS-DENIED */; system { /* ACCESS-DENIED */ }; interfaces { /* ACCESS-DENIED */ }; routing-options { /* ACCESS-DENIED */ }; protocols { /* ACCESS-DENIED */ }; policy-options { /* ACCESS-DENIED */ };
If you try to enter a command that you don't have permission to use, the CLI acts as if that command doesn't exist:
aviva@router1> clear unknown command.
You should keep these permission levels in mind when trying to use the commands discussed in this book. If you cannot enter the command or do not see it with the CLI help, review your authorization level and check with your system administrator if you need additional permission.
If a user who has a login account but no login class tries to log in, she can get as far as the operational mode prompt but she can't do anything except log out:
warning: user "aviva" does not have a valid login class aviva@router1> exit
How do you find out which permissions are associated with each command and statement? On the router, you can use the help reference command to see the permissions for the configuration statements:
aviva@router1> help reference interface address … Required Privilege Level interface--To view this statement in the configuration. interface-control--To add this statement to the configuration.
For a configuration that already exists on the router, you can see the permissions for the statements in the configuration. Use this command from operational mode:
aviva@router1> show configuration system | display detail
and use this command in configuration mode:
[edit system] aviva@router1# show | display detail
Both show the same output:
## ## system: System parameters ## require: admin system ## domain-name: Domain name for this router ## match (regex): ^[[:alnum:]._-]+$ ## require: system ## domain-name mynetwork.com; ## ## name-server: DNS name servers ## require: system ## name-server { ## ## DNS name server address ## 192.168.15.2; } ## ## login: Names, login classes, and passwords for users ## require: admin ## login { ## ## Login class name ## match (regex): ^[[:alnum:]_-]+$ ##
The only way to find out the permissions for operational mode commands is to look in the JUNOS product documentation.
Login classes have one more feature to help with basic router security. You can set a time after which all users in that class are automatically logged out if they have not typed anything at the keyboard. (By default, a user can remain logged in indefinitely.) Here, the users in the class we created will be automatically logged out if the keyboard is idle for five minutes:
[edit system login] aviva@router1# set class operator-plus-read-config permissions idle- timeout 5
Warning messages are displayed beforehand:
aviva@router1> show system users 9:56PM up 18:48, 2 users, load averages: 0.16, 0.09, 0.04 USER TTY FROM LOGIN@ IDLE WHAT aviva p0 server.juniper.net 9:42PM 4 cli aviva@router1> Warning: session will be closed in 1 minute if there is no acti vity Warning: session will be closed in 10 seconds if there is no activity Idle timeout exceeded: closing session Connection closed by foreign host.
As if all this control weren't enough, you can also control, down to the specific command and configuration hierarchy level, what commands users in a particular login class can and cannot issue and what portions of the configuration they can view and modify. For example, you can create a class that has the standard operator permissions but also can issue the request system support command to collect information to send when reporting a problem with the router:
[edit system login] aviva@router1# set class operator-plus-support permissions [ clear network reset trace view ] aviva@router1# set class operator-plus-support allow-commands "request support information"
Or you can take the basic operator class and modify it so users can issue all clear commands except clear system commit (which clears pending configuration commit operations) and clear system reboot (which clears pending router reboots):
[edit system login] aviva@router1# set class operator-plus-support permissions [ clear network reset trace view ] aviva@router1# set class operator-plus-support deny-commands "clear system"
Parallel statements allow you to fine-tune what portions of the configuration can be edited or viewed in configuration mode. This is a way to lock portions of the configuration. The following command does not allow users to modify the protocols portion of the configuration:
[edit system login] aviva@router1# set class all-but-protocols permissions [ all ] aviva@router1# set class all-but-protocols deny-configuration "protocols"
A user in this permission class can edit all portions of the configuration except for the [edit protocols] section:
[edit] aviva2@router1# edit protocols ^ syntax error, expecting or .