Re: [j-nsp] R: [j-nsp] class permission problem

From: Stephen Gill (gillsr@yahoo.com)
Date: Mon Jun 18 2001 - 12:02:41 EDT


The problem is that you have the "control" option also allowed in your
config. What this does is include ANYthing with a -control permission.
 Thus, you have inadvertently inlcluded admin-control as well. I'd
recommend that you remove the "control" word in your config and
recommit.

-- steve

--- Stefano Bosio <sbosio@inwind.it> wrote:
> Ok, my previuos mail was a little confused. I try to explain.
>
> idle-timeout is a different problem from what i'm trying to do.
>
> i create this config
>
> system {
> }
> login {
> class labuser {
> idle-timeout 30;
> permissions [ clear configure control field floppy
> interface
> interface-control network reset routing routing-control shell snmp
> snmp-control system system-control trace trace-control view
> maintenance
> firewall firewall-control secret secret-control rollback ];
>
> /* every permission except 'admin' 'admin-control'*/
>
> }
> user juniper {
> uid 2002;
> class labuser;
> authentication {
> encrypted-password "$1$TCPMb$PhlaybNr.MWLPR5XXKK.Y0";
> #
> SECRET-DATA
> }
>
> i commit it, after i logon with user juniper (that belong to class
> labuser
> and don't have 'admin' and 'admin-control' rights) then i try to
> change the
> class of user juniper from labuser to superuser.
>
>
>
> juniper@M20-LAB> edit
> Entering configuration mode
>
> [edit]
> juniper@M20-LAB# set system login user juniper class super-user
>
> [edit]
> juniper@M20-LAB# commit and-quit
> commit complete
> Exiting configuration mode
>
> juniper@M20-LAB> exit
>
>
> M20-LAB (ttyd0)
>
> login: juniper
> Password:
> Last login: Mon Jun 18 14:50:49 on ttyd0
>
> --- JUNOS 4.4R2.3 built 2001-05-30 00:57:00 UTC
>
> juniper@M20-LAB> show configuration
> version 4.4R2.3;
> system {
> }
> login {
> class labuser {
> idle-timeout 30;
> permissions [ ...... ];
> }
> user juniper {
> uid 2002;
> class super-user;
>
> /*
> With much surprise it work and no error massage or deny received.
> from documentation on permission
>
> permissions
>
> Hierarchy Level
> [edit system login class]
>
> Required Privilege Level
> > admin--To view this statement in the configuration.
> > admin-control--To add this statement to the configuration.
>
> but this priviledge level are not assigned to class labuser so i
> couldn't do
> it.
>
> this is my doubt.
>
> Stefano
> >
> > It doesn't appear as if you're using the class you've defined
> > (labuser)
> > for user Juniper. Also keep in mind that you can't modify the
> builtin
> > classes. To creat a superuser account with idle-timeouts,
> > you could do
> > the following for class administrator & user admin:
> >
> > [system login]
> > /* Cannnot modify the predefined classes, so we must create
> > our own. */
> > class administrator {
> > /* Session will time out after 15 minutes of inactivity */
> > idle-timeout 15;
> > permissions all;
> > }
> > /* This is our superuser account */
> > user admin {
> > full-name Administrator;
> > uid 2000;
> > class administrator;
> > authentication {
> > encrypted-password "<PASSWORD>"; # SECRET-DATA
> > }
> > }
> >
> > -- steve
>

__________________________________________________
Do You Yahoo!?
Spot the hottest trends in music, movies, and more.
http://buzz.yahoo.com/



This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:37 EDT