[tac_plus] Granular restrictions of the "show" commands
Alan McKinnon
alan.mckinnon at gmail.com
Mon Mar 5 20:22:53 UTC 2012
On Mon, 5 Mar 2012 16:37:45 +0000
David Crane <daveycraney at gmail.com> wrote:
> Hi,
>
> I'm trying to restrict the running of show commands on a more granular
> level. I just can't figure out how to do it.
>
> What I want is a user to be able to perform
>
> show run interface fa0/1 (For example)
>
> but not perform a
>
>
> show run
>
>
> or
>
>
> show run interface vlan
>
>
> relevant tac config is
>
> cmd = "show" {
> permit "/^running-config interface/"
> }
Omit the backslashes here, you do not need them. This is not running in
a shell environment, there's no need to escape things, neither do you
need to escape the closing quote.
It's also useful to run tac_plus with -d8, the daemon will log what it
tries to match and if it succeeded/failed.
>
> This appears to be just allowing all show commands. I've tried
> different expressions after googling several different configs, but
> everything I try appear to just deny all show commands, or allows
> them all.
>
>
> I believe this is possible to do. I just need to know what I'm
> missing and how this should be formatted.
>
>
> Much appreciated.
>
>
> Dave.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://www.shrubbery.net/pipermail/tac_plus/attachments/20120305/444609ac/attachment.html>
> _______________________________________________ tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
--
Alan McKinnnon
alan.mckinnon at gmail.com
More information about the tac_plus
mailing list