Change the User Privilege Level for an Event Policy Action
Understanding the Default User Privilege Level
By default, Junos devices execute most event policy actions as the
root user, because the event process (eventd) runs with root
privileges. Event policy actions that use root access privileges by default
include:
-
Changing the configuration
-
Executing operational mode commands
-
Uploading files
-
Executing SLAX and XSLT event scripts
For security reasons, Junos devices handle Python event scripts differently. To
prevent the execution of unauthorized Python code, Junos devices, by default,
execute Python event scripts using the access privileges of the generic,
unprivileged user and group nobody. As a result, Python event
scripts generally cannot perform even basic operations without some additional
configuration.
To change the user privilege level for event policy actions, see the following sections:
Change the User Privilege Level for Event Policy Actions That Use Root Privileges By Default
By default, Junos devices execute most event policy actions with root privileges. In some cases, you might want a device to execute an event policy action with restricted access privileges instead of with root privileges. For example, suppose you configure an event policy that executes a SLAX event script and you want the script to execute with a restricted user profile. Or perhaps you want to upload files using a specific user.
For event policy actions that would default to using root privileges, you can instead associate the action with a user. When you configure a user for the event policy action, the device executes that operation using the access privileges of the configured user.
To execute an event policy action under the access privileges of a specific user,
configure the user-name statement. You must specify a username that
is configured at the [edit system login] hierarchy level.
You can include the user-name statement at the following hierarchy levels
corresponding to the different event policy actions:
-
The
change-configurationevent policy action[edit event-options policy policy-name then change-configuration] user@host# set user-name username
-
The
event-scriptevent policy action for SLAX and XSLT scripts only[edit event-options policy policy-name then event-script filename] user@host# set user-name username
-
The
execute-commandsevent policy action[edit event-options policy policy-name then execute-commands] user@host# set user-name username
Note:If you include the
op urlcommand to execute a remote script as an event policy action, theuser-namestatement applies only to SLAX and XSLT scripts. In this scenario, the device always executes Python scripts using the access privileges of the generic, unprivileged user and groupnobody. -
The
uploadevent policy action[edit event-options policy policy-name then upload filename (filename | committed) destination destination-name] user@host# set user-name username
Change the User Privilege Level for Python Event Scripts
By default, Junos devices execute Python event scripts with the access privileges of
the generic, unprivileged user and group nobody. You can execute a
local Python event script under the access privileges of a specific user. To specify
the user, configure the python-script-user username statement at
the [edit event-options event-script
file filename] hierarchy level.
The username that you specify for the python-script-user statement
must be configured at the [edit system login] hierarchy level. You
cannot configure Python event scripts to execute with root access privileges. You
can use any other configured user, including users in the
super-user login class.
[edit event-options event-script file filename] user@host# set python-script-user username
To enable a user who does not belong to the file’s user or group class to execute an unsigned Python automation script, the script’s file permissions must include read permission for others.
Example: Associating an Optional User with an Event Policy Action
This example shows several event policies that execute event policy actions with different user privilege levels. In the sample configuration:
-
Event policy
policy1associates theexecute-commandsaction with useruser1. The system executes theexecute-commandsaction withuser1privileges. -
Event policy
policy2does not explicitly associate a user with theevent-scriptaction. This event policy executes a SLAX event script. In this case, the system executes theevent-scriptaction with root privileges. -
Event policy
policy3uses theevent-scriptaction to execute a Python event script. The Python event script configuration is at the[edit event-options event-script file script3.py]hierarchy level. The configuration sets thepython-script-userstatement to the userpython-user. Thus, the event policy action executesscript3.pywithpython-userprivileges.
[edit system]
login {
user user1 {
uid 2001;
class operator;
}
user python-user {
uid 2002;
class super-user;
}
}
[edit event-options]
policy policy1 {
events e1;
then {
execute-commands {
commands {
"show version";
}
user-name user1;
output-filename command-output;
destination some-dest;
}
}
}
policy policy2 {
events e2;
then {
event-script script2.slax {
output-filename slax-event-script-output;
destination some-dest;
}
}
}
policy policy3 {
events e3;
then {
event-script script3.py {
output-filename python-event-script-output;
destination some-dest;
}
}
}
event-script {
file script3.py {
python-script-user python-user;
}
file script2.slax;
}
destinations {
some-dest {
archive-sites {
/var/tmp;
}
}
}