[rancid] Re: Small patch for francid (to better permit minimally privileged rancid user)

john heasley heas at shrubbery.net
Thu Jan 24 21:32:35 UTC 2008 

Tue, Jan 22, 2008 at 10:56:58PM +0000, Jethro R Binks:
> I have been playing with using a minimally-privileged user on Foundry gear 
> for rancid.  I have had some success so far, and I will continue to look 
> into it.
> 
> In the meantime, here is a small patch against francid 1.42 which is 
> equivalent to some code in the Cisco rancid to run either of "show 
> running-config" or "write term", whichever works - currently francid only 
> tries to run the latter, but by default a priv level 5 ("read only") user 
> can run little more than "show" commands.  I could use the "privilege" 
> command to re-assign "write term" to priv level 5, but since "show 
> running-config" already works anyway, and there is a precedent in (cisco) 
> rancid, why bother?

old versions of the foundry code did not support 'show running', iirc.  The
same for cisco.

> (Hint for anyone else interested in pursuing this: you will need to:
> 
>   hostname(config)# privilege exec level 5 skip-page-display
> 
> or perhaps some TACACS+ magic to permit it)
> 
> Jethro.
> 
> 
> --- francid.1.42        Mon Jan 21 22:55:12 2008
> +++ francid     Mon Jan 21 23:22:34 2008
> @@ -255,6 +255,8 @@
>      while (<INPUT>) {
>         tr/\015//d;
>         last if (/^$prompt/);
> +       return(1) if (/Invalid input ->/);
> +        return(0) if ($found_end);              # Only do this routine once
> 
>         /Current configuration:/i && next;
>         /^ver \d+\.\d+/ && next;
> @@ -378,7 +380,8 @@
>         {'show chassis'         => 'ShowChassis'},
>         {'show module'          => 'ShowModule'},
>         {'show flash'           => 'ShowFlash'},
> -       {'write term'           => 'WriteTerm'}
> +       {'write term'           => 'WriteTerm'},
> +        {'show running-config'  => "WriteTerm"},
>  );
>  # Use an array to preserve the order of the commands and a hash for mapping
>  # commands to the subroutine and track commands that have been completed.
> 
> 
> 
> 
> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
> Jethro R Binks
> Computing Officer, IT Services
> University Of Strathclyde, Glasgow, UK
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

More information about the Rancid-discuss mailing list