Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX, Junos] An user with super-user login class cannot perform the "mount" command.

0

0
Article ID: KB26843 KB Last Updated: 23 Apr 2013Version: 1.0 Summary:
This article explains the reason why an user with super-user login class cannot perform the "mount" command, and shows the condition required to execute the "mount" command on an UNIX system.
Symptoms:
An user with super-user login class cannot perform the mount command on an SRX device.
Cause:

Solution:
The disk device files in /dev are owned by an user with root login class, and group ownership belongs to the operator group, with 640 permissions (rw-r-----).
That means that the user root has exclusive access write to the device node, and members of the operator group can only read from it.
The mount command cannot perform root-level actions on its own, so the invoking user must be root login class, so that the mount command can execute both read/write operations, to/from the SRX device.

root@100-2% ls -l /dev/da*
crw-r----- 1 root operator 0, 46 Jan 31 20:16 /dev/da0
crw-r----- 1 root operator 0, 47 Jan 31 20:16 /dev/da0s1
crw-r----- 1 root operator 0, 51 Jan 31 20:16 /dev/da0s1a
crw-r----- 1 root operator 0, 52 Jan 31 20:16 /dev/da0s1c
crw-r----- 1 root operator 0, 48 Jan 31 20:16 /dev/da0s2
crw-r----- 1 root operator 0, 53 Jan 31 20:16 /dev/da0s2a
crw-r----- 1 root operator 0, 54 Jan 31 20:16 /dev/da0s2c
crw-r----- 1 root operator 0, 49 Jan 31 20:16 /dev/da0s3

Here you see that /dev/da files belong to root user (or operator group).


Accounts created as super-user accounts in Junos do not get added to the operator UNIX system group.

Create an user Test with super-user class, and login with that user:

%
% whoami
Test
%
% mount -t msdosfs /dev/da1s1 /tmp/usb
mount_msdosfs: /dev/da1s1: Operation not permitted
%
% id
uid=2000(Test) gid=20(staff) groups=20(staff), 0(wheel), 10(field), 11(floppy)

Now do a su to root:


%
% su
Password:
root@100-2%
root@100-2% whoami
root
root@100-2% id
uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator), 10(field), 11(floppy), 31(guest), 73(config)
root@100-2%
root@100-2%
root@100-2% mount -t msdosfs /dev/da1s1 /tmp/usb
root@100-2%
root@100-2%

In this example, the mount command worked.
Here you see that the user Test does not belong to the group operator.

In conclusion, the mount command cannot be executed by any user with class super-user.
It can be done only by the user root (or su to root).



Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search