Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
24221
Views
31
Helpful
6
Replies

%Error opening nvram:/startup-config (Permission denied)

Go to solution
shorita
Level 1
Level 1

‎12-20-2012 12:14 PM - edited ‎03-20-2019 07:59 PM

I'm getting an odd error, permission denied trying to issue "show config" at user level.  We use this throughout the environment with no issues.

IOS: System image file is "flash0:c2900-universalk9-mz.SPA.152-3.T.bin"

R1#sh run | i aaa

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting commands 15 default stop-only group tacacs+

aaa session-id common

R1#sh run | i priv

privilege exec level 1 traceroute

privilege exec level 1 ping

privilege exec level 1 show logging

privilege exec level 1 show configuration

privilege exec level 1 show privilege

privilege exec level 1 show

R1#disable

R1>show config

Using 11855 out of 262136 bytes

%Error opening nvram:/startup-config (Permission denied)

5 people had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Phillip Remaker
Cisco Employee
Cisco Employee

‎12-20-2012 12:35 PM

You are indeed allowed to run the command (as evidenced by the fact that the command did run).

show config is effectively an alias for the command more nvram:startup-config

As a result, the issue is the permission on the file, not the command itself.

Unfortunately, the file systems do not explicitly support permissions.  This used to be implicitly supported through permissions on show config.

Perhaps this is a bug.  I'd open a case on this if you need really need this feature.

View solution in original post

Go to solution
krahmani323
Level 3
Level 3
In response to shorita

‎01-03-2013 06:29 AM

Hello,

I have been facing the same issue and have opened a case. Please find the answer I get from the TAC :

==============================================

This is intended by design as a security measure. Starting in newer releases of IOS, the privilege level for file system access has to be configured separately. There are two options to overcome this:

1) Run the command from the enable prompt.

2) Set the file system privilege level via the config command "file privilege 1".

==============================================

Hope that helps.

Best regards.

Karim

View solution in original post

6 Replies 6

Go to solution
Phillip Remaker
Cisco Employee
Cisco Employee

‎12-20-2012 12:35 PM

You are indeed allowed to run the command (as evidenced by the fact that the command did run).

show config is effectively an alias for the command more nvram:startup-config

As a result, the issue is the permission on the file, not the command itself.

Unfortunately, the file systems do not explicitly support permissions.  This used to be implicitly supported through permissions on show config.

Perhaps this is a bug.  I'd open a case on this if you need really need this feature.

Go to solution
shorita
Level 1
Level 1
In response to Phillip Remaker

‎12-20-2012 12:40 PM

Thank you Phillip.  I agree, I think this may be a bug.  I'm in the process of adding the customer contract to my CCO account to pursue a TAC case. I'll let the discussion boards know the outcome.  Thanks again.

0 Helpful

Go to solution
krahmani323
Level 3
Level 3
In response to shorita

‎01-03-2013 06:29 AM

Hello,

I have been facing the same issue and have opened a case. Please find the answer I get from the TAC :

==============================================

This is intended by design as a security measure. Starting in newer releases of IOS, the privilege level for file system access has to be configured separately. There are two options to overcome this:

1) Run the command from the enable prompt.

2) Set the file system privilege level via the config command "file privilege 1".

==============================================

Hope that helps.

Best regards.

Karim

Go to solution
shorita
Level 1
Level 1
In response to krahmani323

‎01-03-2013 09:23 AM

Thanksfor your input.  Yes, Cisco TAC confirmed that there is a bug ID documenting this, CSCty30604.

Go to solution
Hassan Kashaf
Level 1
Level 1
In response to krahmani323

‎09-23-2016 04:04 AM

I was running into the same problem and solution for me was to not define the tftp path, so basically i kept typing the following:

copy crashinfo:... tftp:c:\temp

then IP

instead of;

copy crashinfo:... tftp:

with out the path because my tftp is configured to store everything in c:\temp

then IP, that worked for me.

hope it helps :)

0 Helpful

Go to solution
jeec
Level 1
Level 1
In response to krahmani323

‎02-27-2024 05:22 PM

Thank you!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents