Re: Privilege Levels

From: Thor Kopp (thorkopp@googlemail.com)
Date: Sun Jun 01 2008 - 07:08:27 ART

• Next message: Thor Kopp: "Re: RIP learnt default route not redistributed automatically"
• Previous message: Paul Cosgrove: "Re: igmp vs ip access-group"
• Maybe in reply to: sheherezada@gmail.com: "Re: Privilege Levels"
• Next in thread: Mike Harrison: "Re: Privilege Levels"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Remember that when you set a command to a certain level, you will get all of
the commands at the lower level by default. So if you are setting 'show ip
route' to level 5, then level 5 automatically gives you to non-priveledged
commands as well (most of which come with the default level of 2). default
priv level is 1 so you will get all of the commands at that level ie sho
ver, show interface etc. If you didn't want all of the other commands then i
assume you would need to increase their security to something higher than 5.
I don't know of any way to see what the commands are at level 1 or 15 to
know which ones you would need to change though and i don't think it's
possible to change the default level ie make the default level for level 1
commands 6 etc.

In terms of your issue with increasing the security level to 5 for 'show ip
route' and the effect that this has, I found the below which provides an
explaination. I'm not sure if it's technically correct but it sounds good to
me.

'The privilege level information is stored internally in the keyword nodes
of a parse tree of all possible commands. To be able to parse "ip address"
you have to be able to get past "ip", so putting level 5 privileges on the
"address" keyword in "ip address" means that the "ip" had better also have
level 5 access. Similarly, to be able to get past "debug" to "debug
frame-relay autoinstall", the keyword "debug" has to be at level 5.
In general, suppose the command "aaa bbb ccc" is set to privilege level X.
Then the commands "aaa" and "aaa bbb" must also be at privilege level X, or
the parser can't GET to "aaa bbb ccc" at level X.

http://www.netcraftsmen.net/welcher/papers/priv.htm

- Thor
On Sat, May 31, 2008 at 10:27 PM, Mike Harrison <michael.h4@blueyonder.co.uk>
wrote:

> Is there any way to allow certain show coamands to lower privilege levels?
>
> Example - Need to give level 5 show ip route but nothing else?
>
> Command;
> privilege exec level 5 show ip route
>
> Auto creates the following;
> privilege exec level 5 show ip
> privilege exec level 5 show
>
> And in level 5 we can show anything.
> If i increase the level of the show and show ip commands;
> privilege exec level 5 show ip route
> privilege exec level 15 show ip
> privilege exec level 15 show
>
> But now in level 5 we cant show anything?
> I guess because the show command is level 15, then no other show commands
> are allowed.
>
> Is there a way just to allow the sh ip route command and no others ?
>
> TIA
> Mike
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Thor Kopp: "Re: RIP learnt default route not redistributed automatically"
• Previous message: Paul Cosgrove: "Re: igmp vs ip access-group"
• Maybe in reply to: sheherezada@gmail.com: "Re: Privilege Levels"
• Next in thread: Mike Harrison: "Re: Privilege Levels"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:20 ART