privilege setting

Unanswered Question
Jun 2nd, 2007
User Badges:

Hi,


I config three levels for remote access. all show command is on level 2 (privilege 5). However, it only how 6 line of running-config. any missing of the commands?


----

privilege exec level 1 traceroute

privilege exec level 1 show running-config

----


--- output if sh run ---

tw72xx>sh run

Building configuration...


Current configuration : 13 bytes

!

!

!

!

end

----


thanks


best regards




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Anand Narayana Sat, 06/02/2007 - 20:42
User Badges:
  • Silver, 250 points or more

Hi,

only on privilege level 15, you can view the running configuration.

leungcm Sat, 06/02/2007 - 20:50
User Badges:

Hi,


does it mean that whatever we do, the "sh run" is still in level 15?


best regards


Anand Narayana Sat, 06/02/2007 - 21:27
User Badges:
  • Silver, 250 points or more

YES ur right, bcoz privilege level 15 is the admin privileges, other levels are not entitled to see the configuration as it is not safe.

mohammedmahmoud Sat, 06/02/2007 - 22:56
User Badges:
  • Green, 3000 points or more

Hi,


When access to the router is configured by privilege levels, a common issue is that the show running is configured at or below the user's privilege level. When the user executes the command, the configuration appears to be blank. This is actually by design due to that this command displays all of the commands that the current user is able to modify (in other words, all the commands at or below the user's current privilege level). The command should not display commands above the user's current privilege level because of security considerations. If so, commands such as snmp-server community could be used to modify the current configuration of the router and gain complete access to the router.


For example, if a certain privilege level is given the privilege to configure under the interface, and do show run, when a user do show run with this level, he will get only the interface configurations:


privilege configure all level 5 interface

privilege exec all level 5 show running-config



Router#sh run

Building configuration...


Current configuration : 1055 bytes

!

boot-start-marker

boot-end-marker

!

!

!

!

!

interface Loopback0

ip address 10.10.10.2 255.255.255.255


!

interface Serial1/1

no ip address

shutdown


!

end


I hope that i've been informative.



HTH, please do rate all helpful replies,

Mohammed Mahmoud.

Actions

This Discussion