Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

NSMXpress - sudo, su and nsm_setup interaction

0

0

Article ID: KB16532 KB Last Updated: 19 Jan 2010Version: 1.0
Summary:

This article covers the use of su, sudo and nsm_setup in an NSMXpress environment.

Symptoms:

NSMXpress runs on a hardened Linux platform.  Therefore, certain restrictions apply when accessing the command line of the NSMXpress box.  These restrictions govern the use of the "su", "sudo" and "nsm_setup" commands.

Solution:

CLI access to NSMXpress boxes is restricted to the admin user.  Once logged in as admin, the su, sudo and nsm_setup commands are restricted.

The "su" command is essentially disabled since there is no password on the root account.  In other words, no user can run the "su -" command successfully.

The admin user can:

  • Run nsm_setup to alter system parameters for the NSMXpress box.
  • Run "sudo su -" to become the root user
  • Run "sudo su - nsm" to become the nsm user.

The NSM user can:

  • Interact with the NSM gui server, dev server and ha server applications and files.
  • Start and stop any of the NSMXpress servers' nsm services (/etc/init.d/guiSvr, /etc/init.d/devSvr, /etc/init.d/haSvr <stop, start, restart>)

Once the admin user has used the "sudo su -" command to become the root user, the root user can:

  • Start and stop any NSM server service as above.
  • Run nsm_setup
  • Run any other operating system (OS) level command
  • Install/re-install or delete any of the NSMXpress server software.
The following is the log of an SSH session to an NSMXpress box.  The responses shown are proper as per the restrictions listed above.
admin@10.85.34.82's password: <-Typed known admin password here

Last login: Tue Jan 19 07:46:34 2010 from 172.24.234.23

Run NSMXPress system setup? [y/N] <- Hit return here

To start system setup manually, type:
nsm_setup

For operation of NSM server, switch to user "nsm".
Please consult NSM product documentation for details.

admin@NSMXpress:~[admin@NSMXpress ~]$ su - nsm
Password: <- Typed known nsm user password here
su: incorrect password

admin@NSMXpress:~[admin@NSMXpress ~]$ su - nsm
Password: <- Typed known admin user password here
su: incorrect password


admin@NSMXpress:~[admin@NSMXpress ~]$ sudo su - nsm
Password: <- Typed admin user password here
nsm@NSMXpress:~[nsm@NSMXpress ~]$ whoami
nsm
nsm@NSMXpress:~[nsm@NSMXpress ~]$ nsm_setup
Password: <-Typing known nsm user password here.
Sorry, try again.
Password: <-Typing known nsm user password here.
Sorry, try again.
Password: <-Typing known nsm user password here.
Sorry, try again.
sudo: 3 incorrect password attempts
nsm@NSMXpress:~[nsm@NSMXpress ~]$ exit
logout
admin@NSMXpress:~[admin@NSMXpress ~]$ whoami
admin
admin@NSMXpress:~[admin@NSMXpress ~]$ sudo su -
Password:
root@NSMXpress:~[root@NSMXpress ~]# whoami
root
root@NSMXpress:~[root@NSMXpress ~]# nsm_setup

Welcome to the NSMXpress 5.0 network settings utility.

Initializing, please wait
NSMXpress Settings Menu

1> Change Password
2> Set Interfaces
3> Set Routing
4> Change Hostname
5> Set DNS Servers
6> Change Time Options
7> Forward Local Status Emails
8> System Security Update
9> Reconfigure NSM Regional Server

Q> Quit
R> Redraw menu

Choice [1-9,Q,R]: Q
root@NSMXpress:~[root@NSMXpress ~]# exit
logout
admin@NSMXpress:~[admin@NSMXpress ~]$whoami
admin
admin@NSMXpress:~[admin@NSMXpress ~]$ nsm_setup
Password:

Welcome to the NSMXpress 5.0 network settings utility.

Initializing, please wait
NSMXpress Settings Menu

1> Change Password
2> Set Interfaces
3> Set Routing
4> Change Hostname
5> Set DNS Servers
6> Change Time Options
7> Forward Local Status Emails
8> System Security Update
9> Reconfigure NSM Regional Server

Q> Quit
R> Redraw menu

Choice [1-9,Q,R]: Q
admin@NSMXpress:~ [admin@NSMXpress ~]$

In short, the NSM user is restricted to operating the binary files (starting and stopping server services, etc) associated with the NSM server.  The admin and root users are allowed to run nsm_setup and alter physical server parameters such as routing info and NSM software updates.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search