Changing the User Privilege Level for an Event Policy Action
Only superusers can configure event policies. By default, event policy actions—such as executing operational mode commands, uploading files, and executing SLAX and XSLT event scripts—are executed by user root, because the event process (eventd) runs with root privileges.
To prevent the execution of unauthorized Python code on devices running Junos OS, by default, Junos OS executes Python event scripts using the access privileges of the generic, unprivileged user and group nobody.
In some cases, you might want an event policy action to be executed with restricted privileges. For example, suppose you configure an event policy that executes a script if an interface goes down. The script includes remote procedure calls (RPCs) to change the device configuration if certain conditions are present. If you do not want the script to change the configuration, you can execute the script with a restricted user profile. When the script is executed with a user profile that disallows configuration changes, the RPCs to change the configuration fail.
You can associate a user with each action in an event policy. If a user is not associated with an event policy action, then the action is executed as user root by default.
To specify the user under whose privileges an action is executed, configure the user-name statement.
You can include this statement at the following hierarchy levels:
The user-name statement only applies to SLAX and XSLT event scripts. This statement has no effect when configured for Python event scripts.
If you include the op url command to execute a remote script as an event policy action, Python scripts are always executed using the access privileges of the generic, unprivileged user and group nobody. If you do not configure the user-name statement, SLAX and XSLT scripts are executed with root privileges.
By default, Junos OS executes Python event scripts with the access privileges of the generic, unprivileged user and group nobody. Starting in Junos OS Release 16.1R3, you can execute a local Python event script under the access privileges of a specific user. To specify the user, configure the python-script-user username statement at the [edit event-options event-script file filename] hierarchy level.
To enable a user who does not belong to the file’s user or group class to execute an unsigned Python automation script, the script’s file permissions must include read permission for others.
The username that you specify for the user-name and python-script-user statements must be configured at the [edit system login] hierarchy level.