[f-nsp] Is privilege assignment broken?

Rob Lister rob.lister at netsumo.com
Thu Dec 16 10:50:22 EST 2010


Hello,

I am trying to create some restricted logins to Brocade devices (XMR and CERs)
so that general moves and changes can be performed by operations staff
without routine use of admin access, to prevent any dangerous or
accidental config changes without further checking.

I have added a bunch of privilege re-assignments such as:

privilege interface level 4 sflow
privilege port-vlan level 4 router-interface
privilege port-vlan level 4 untagged
privilege port-vlan level 4 tagged
privilege virtual-interface level 4 port-name
privilege virtual-interface level 4 enable
privilege virtual-interface level 4 disable
privilege virtual-interface level 4 ipv6
privilege virtual-interface level 4 ip
privilege protocol-vlan level 4 router-interface
privilege configure level 4 access-list
...


And this mostly works, however there are some things that do not seem to
work properly, namely:

privilege configure level 4 route-map

The non-admin user is able to create and delete route-maps but then has
no access to be able to modify the level underneath:

SSH at router(config)#route-map FOO permit 10
SSH at router(config-routemap FOO)#?
  cls                           Clear screen
  end                           End Configuration level and go to Privileged
                                level
  exit                          Exit current level
  no                            Undo/disable commands
  quit                          Exit to User level
  show                          Display system information
  <cr>
SSH at router(config-routemap FOO)#


SSH at router(config-routemap FOO)#set as-path prepend  9999
Invalid input -> set as-path prepend  9999
Type ? for a list

In this form, it is pretty useless.

It presents another possible danger in that it allows a blank entry to
be inserted into a route-map which cannot be updated, and a blank entry
means "permit all", so this could lead to leaking full tables etc
where this is not wanted!

Is this just broken or am I missing something?

It seems to need a "privilege route-map level ..." option.

Is it solvable using TACACS+ ? I was hoping to avoid having to implement
so that one user can run a few commands, but I suppose it may give
better accounting to have TACACS+

Any thoughts appreciated.



Regards,


Rob




-- 
Rob Lister
NetSumo Limited
D: +44 (0) 20 7993 1707
S: +44 (0) 20 7993 1700
E: rob.lister at netsumo.com





More information about the foundry-nsp mailing list