Requirements for Executing Python Automation Scripts on Devices Running Junos OS
You can use Python to author Junos OS commit, event, op, and SNMP automation scripts. To prevent the execution of unauthorized Python code on devices running Junos OS, an unsigned Python automation script must meet certain requirements before you can execute the script on a device.
By default, you cannot execute unsigned Python scripts on devices running Junos OS. To enable the execution of unsigned Python automation scripts that meet the requirements outlined in this topic, you must configure the language python statement at the [edit system scripts] hierarchy level.
As with SLAX and XSLT automation scripts, Python automation scripts must be stored in the appropriate directory on the device, and you must enable individual scripts by configuring the script filename under the hierarchy level appropriate to the script type in the configuration. For information about storing and enabling automation scripts, see Storing and Enabling Scripts.
Starting in Junos OS
Release 16.1R3, ownership and access privilege requirements for some
unsigned Python scripts are modified. In Junos
OS Release 16.1R2 and earlier releases, unsigned Python commit, event,
op, and SNMP scripts must be owned by the root user, and Junos OS
executes the scripts using the access privileges of the *nix user
and group nobody, which is the generic, unprivileged system
account. Starting in Junos OS Release 16.1R3, unsigned Python automation
scripts must be owned by either the root user or a user in the Junos
super-user login class, and only the
file owner can have write permission for the file. Furthermore, Python
automation scripts can be executed with the access privileges of authorized
To enable a user who does not belong to the file’s user or group class to execute an unsigned Python automation script, the script’s file permissions must include read permission for others.
We recommend that you configure a checksum to verify the integrity of Python scripts. To specify a checksum for a local script, configure the checksum statement under the [file filename] statement in the hierarchy for your specific type of script. To specify a checksum for a remote op script, include the key argument when you execute the script using the op url command. Starting in Junos OS Release 18.2R2 and 18.3R, if you execute an unsigned Python script that does not have a checksum configured, Junos OS logs a CSCRIPT_SECURITY_WARNING message in the system log file. For example:
CSCRIPT_SECURITY_WARNING: unsigned python script '/var/db/scripts/op/sample.py' without checksum is executed
Starting in Junos OS Release 16.1R3, interactive Python scripts, such as commit and op scripts, run with the access privileges of the user who executes the command or operation that invokes the script. Non-interactive Python scripts, such as event and SNMP scripts, by default, still execute under the privileges of the user and group nobody. To execute the scripts using the access privileges of a specific user, you must configure the python-script-user username statement at the [edit event-options event-script file filename] hierarchy level for event scripts, or the [edit system scripts snmp file filename] hierarchy level for SNMP scripts, and specify a user configured at the [edit system login] hierarchy level.
You cannot configure Python event and SNMP scripts to execute with root access privileges.
Table 1 outlines the requirements for executing unsigned Python automation scripts in the different Veriexec-enabled versions of Junos OS.
Table 1: Python Automation Script Requirements
Junos OS Release 16.1R2 or Earlier Release
Junos OS Release 16.1R3 or Later Release
Root user or a user in the Junos OS
File write permissions
File owner only
language python statement must be configured at the [edit system scripts] hierarchy level
Script must be enabled in the configuration under the hierarchy appropriate to that script type
All Python automation scripts execute with the access privileges of the user and group nobody
Python commit and op scripts execute with the access privileges of the user who invokes the script.
Python event and SNMP scripts execute with the access privileges of the user configured in the python-script-user statement, or if the python-script-user statement is not configured, as user and group nobody.