I'm getting an odd error, permission denied trying to issue "show config" at user level. We use this throughout the environment with no issues.
IOS: System image file is "flash0:c2900-universalk9-mz.SPA.152-3.T.bin"
R1#sh run | i aaa
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 15 default stop-only group tacacs+
aaa session-id common
R1#sh run | i priv
privilege exec level 1 traceroute
privilege exec level 1 ping
privilege exec level 1 show logging
privilege exec level 1 show configuration
privilege exec level 1 show privilege
privilege exec level 1 show
Using 11855 out of 262136 bytes
%Error opening nvram:/startup-config (Permission denied)
I have been facing the same issue and have opened a case. Please find the answer I get from the TAC :
This is intended by design as a security measure. Starting in newer releases of IOS, the privilege level for file system access has to be configured separately. There are two options to overcome this:
1) Run the command from the enable prompt.
2) Set the file system privilege level via the config command "file privilege 1".
Hope that helps.
You are indeed allowed to run the command (as evidenced by the fact that the command did run).
show config is effectively an alias for the command more nvram:startup-config
As a result, the issue is the permission on the file, not the command itself.
Unfortunately, the file systems do not explicitly support permissions. This used to be implicitly supported through permissions on show config.
Perhaps this is a bug. I'd open a case on this if you need really need this feature.