Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Requirements for Executing Python Automation Scripts on Devices Running Junos OS

 

You can use Python to author Junos OS commit, event, op, and SNMP automation scripts. To prevent the execution of unauthorized Python code on devices running Junos OS, an unsigned Python automation script must meet certain requirements before you can execute the script on a device.

By default, you cannot execute unsigned Python scripts on devices running Junos OS. To enable the execution of unsigned Python automation scripts that meet the requirements outlined in this topic, you must configure the language python statement at the [edit system scripts] hierarchy level.

As with SLAX and XSLT automation scripts, Python automation scripts must be stored in the appropriate directory on the device, and you must enable individual scripts by configuring the script filename under the hierarchy level appropriate to the script type in the configuration. For information about storing and enabling automation scripts, see Storing and Enabling Scripts.

Starting in Junos OS Release 16.1R3, ownership and access privilege requirements for some unsigned Python scripts are modified. In Junos OS Release 16.1R2 and earlier releases, unsigned Python commit, event, op, and SNMP scripts must be owned by the root user, and Junos OS executes the scripts using the access privileges of the *nix user and group nobody, which is the generic, unprivileged system account. Starting in Junos OS Release 16.1R3, unsigned Python automation scripts must be owned by either the root user or a user in the Junos OS super-user login class, and only the file owner can have write permission for the file. Furthermore, Python automation scripts can be executed with the access privileges of authorized users.

Note

To enable a user who does not belong to the file’s user or group class to execute an unsigned Python automation script, the script’s file permissions must include read permission for others.

We recommend that you configure a checksum to verify the integrity of Python scripts. To specify a checksum for a local script, configure the checksum statement under the [file filename] statement in the hierarchy for your specific type of script. To specify a checksum for a remote op script, include the key argument when you execute the script using the op url command. Starting in Junos OS Release 18.2R2 and 18.3R, if you execute an unsigned Python script that does not have a checksum configured, Junos OS logs a CSCRIPT_SECURITY_WARNING message in the system log file. For example:

Starting in Junos OS Release 16.1R3, interactive Python scripts, such as commit and op scripts, run with the access privileges of the user who executes the command or operation that invokes the script. Non-interactive Python scripts, such as event and SNMP scripts, by default, still execute under the privileges of the user and group nobody. To execute the scripts using the access privileges of a specific user, you must configure the python-script-user username statement at the [edit event-options event-script file filename] hierarchy level for event scripts, or the [edit system scripts snmp file filename] hierarchy level for SNMP scripts, and specify a user configured at the [edit system login] hierarchy level.

For example:

Note

You cannot configure Python event and SNMP scripts to execute with root access privileges.

Table 1 outlines the requirements for executing unsigned Python automation scripts in the different Veriexec-enabled versions of Junos OS.

Table 1: Python Automation Script Requirements

Requirement/Restriction

Junos OS Release 16.1R2 or Earlier Release

Junos OS Release 16.1R3 or Later Release

File owner

Root user

Root user or a user in the Junos OS super-user login class.

File write permissions

Any

File owner only

language python statement must be configured at the [edit system scripts] hierarchy level

Yes

Yes

Script must be enabled in the configuration under the hierarchy appropriate to that script type

Yes

Yes

Access privileges

All Python automation scripts execute with the access privileges of the user and group nobody

Python commit and op scripts execute with the access privileges of the user who invokes the script.

Python event and SNMP scripts execute with the access privileges of the user configured in the python-script-user statement, or if the python-script-user statement is not configured, as user and group nobody.

Release History Table
Release
Description
Starting in Junos OS Release 16.1R3, ownership and access privilege requirements for some unsigned Python scripts are modified.