%Error opening nvram:/startup-config (Permission denied)

Answered Question
Dec 20th, 2012
User Badges:

I'm getting an odd error, permission denied trying to issue "show config" at user level.  We use this throughout the environment with no issues.


IOS: System image file is "flash0:c2900-universalk9-mz.SPA.152-3.T.bin"


R1#sh run | i aaa

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting commands 15 default stop-only group tacacs+

aaa session-id common

R1#sh run | i priv

privilege exec level 1 traceroute

privilege exec level 1 ping

privilege exec level 1 show logging

privilege exec level 1 show configuration

privilege exec level 1 show privilege

privilege exec level 1 show

R1#disable

R1>show config

Using 11855 out of 262136 bytes

%Error opening nvram:/startup-config (Permission denied)

Correct Answer by krahmani323 about 4 years 5 months ago

Hello,


I have been facing the same issue and have opened a case. Please find the answer I get from the TAC :


==============================================

This is intended by design as a security measure. Starting in newer releases of IOS, the privilege level for file system access has to be configured separately. There are two options to overcome this:


1) Run the command from the enable prompt.

2) Set the file system privilege level via the config command "file privilege 1".

==============================================


Hope that helps.

Best regards.

Karim

Correct Answer by Phillip Remaker about 4 years 6 months ago

You are indeed allowed to run the command (as evidenced by the fact that the command did run).


show config is effectively an alias for the command more nvram:startup-config

As a result, the issue is the permission on the file, not the command itself.


Unfortunately, the file systems do not explicitly support permissions.  This used to be implicitly supported through permissions on show config.


Perhaps this is a bug.  I'd open a case on this if you need really need this feature.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Phillip Remaker Thu, 12/20/2012 - 12:35
User Badges:
  • Cisco Employee,

You are indeed allowed to run the command (as evidenced by the fact that the command did run).


show config is effectively an alias for the command more nvram:startup-config

As a result, the issue is the permission on the file, not the command itself.


Unfortunately, the file systems do not explicitly support permissions.  This used to be implicitly supported through permissions on show config.


Perhaps this is a bug.  I'd open a case on this if you need really need this feature.

shorita Thu, 12/20/2012 - 12:40
User Badges:

Thank you Phillip.  I agree, I think this may be a bug.  I'm in the process of adding the customer contract to my CCO account to pursue a TAC case. I'll let the discussion boards know the outcome.  Thanks again.

Correct Answer
krahmani323 Thu, 01/03/2013 - 06:29
User Badges:
  • Silver, 250 points or more

Hello,


I have been facing the same issue and have opened a case. Please find the answer I get from the TAC :


==============================================

This is intended by design as a security measure. Starting in newer releases of IOS, the privilege level for file system access has to be configured separately. There are two options to overcome this:


1) Run the command from the enable prompt.

2) Set the file system privilege level via the config command "file privilege 1".

==============================================


Hope that helps.

Best regards.

Karim

shorita Thu, 01/03/2013 - 09:23
User Badges:

Thanksfor your input.  Yes, Cisco TAC confirmed that there is a bug ID documenting this, CSCty30604.


Hassan Kashaf Fri, 09/23/2016 - 04:04
User Badges:

I was running into the same problem and solution for me was to not define the tftp path, so basically i kept typing the following:

copy crashinfo:... tftp:c:\temp

then IP

instead of;

copy crashinfo:... tftp:

with out the path because my tftp is configured to store everything in c:\temp

then IP, that worked for me.


hope it helps :)

Actions

This Discussion