Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] Error: 'Unsigned python script should not be writeable by a user, other than the owner'

0

0

Article ID: KB36809 KB Last Updated: 13 May 2021Version: 2.0
Summary:

When using Python scripts as an event-script, the file permissions of the event-script include a security measure, that is, file permissions that include read, write, and execute for the owner.  If any other user is given execute permissions, then the script will fail to execute.

Symptoms:

Example configuration:

​labroot@MX> show configuration | display set| match python
set system scripts language python
set event-options event-script file test_script.py python-script-user labroot

Errors observed in the cscript log file on the device are as follows:

Apr 13 16:36:29 Unsigned python script should not be writeable by a user, other than the owner 
Apr 13 16:36:29 Unable to run Python script 'test_script.py' 
Cause:

As a security measure, we do not allow execution of unsigned Python scripts that have a group or world writeable permission set; that is, Linux file permissions 777 (read/write/execute for all user/group/others) will not work. However, file permissions such as 755 (read/write/execute only for owner) will work.

Solution:

To allow proper execution of the script, ensure that the file permissions are set as follows:

Non-Working Config

labroot@MX> show configuration | display set| match python
set system scripts language python
set event-options event-script file test_script.py python-script-user labroot

labroot@MX> file list /var/db/scripts/event detail 
/var/db/scripts/event:
total blocks: 24
-rwxrwxrwx  1 labroot wheel      1268 Apr 13 15:07 test_script.py* 
total files: 1

labroot@MX> show log cscript.log
Apr 13 16:36:29 arg: -Nall
Apr 13 16:36:29 running event script 'test_script.py'
Apr 13 16:36:29 opening event script '/var/db/scripts/event/test_script.py'
Apr 13 16:36:29 reading event script 'test_script.py'
Apr 13 16:36:29 Unsigned python script should not be writeable by a user, other than the owner 
Apr 13 16:36:29 Unable to run Python script 'test_script.py' 
Apr 13 16:36:29 event script execution failed for 'test_script.py' with return: 1
Apr 13 16:36:29 finished event script 'test_script.py'
Apr 13 16:36:29 event script processing ends
Apr 13 16:36:29 self: resource statistics::
Apr 13 16:36:29 self:  cpu: user 0.038330, system 0.007666
Apr 13 16:36:29 self:  data: sbrk 0
Apr 13 16:36:29 self:  memory: maxrss 9576 (ixrss 1008, idrss 18240, isrss 768)
Apr 13 16:36:29 self:  paging: faults 0, reclaims 631, swaps 0
Apr 13 16:36:29 self:  other: inb 0, outb 0, snd 1, rcv 0, sig 0, csw 1, icsw 8
 

Working Config

labroot@MX> show configuration | display set| match python
set system scripts language python
set event-options event-script file test_script.py python-script-user labroot
labroot@MX> file change-permission /var/db/scripts/event/test_script.py permission 755
labroot@MX> file list /var/db/scripts/event/test_script.py detail
total blocks: 24
-rwxr-xr-x  1 labroot  wheel  1277 Apr 13 16:27 test_script.py* 
total files: 1

labroot@MX> show log cscript.log

Apr 13 17:03:28 event script execution successful for 'test_script.py' with return: 0
Apr 13 17:03:28 finished event script 'test_script.py'.py'
Apr 13 17:03:28 event script processing ends
Apr 13 17:03:28 self: resource statistics::
Apr 13 17:03:28 self: cpu: user 0.668565, system 0.214601
Apr 13 17:03:28 self: data: sbrk 12582912
Apr 13 17:03:28 self: memory: maxrss 29880 (ixrss 17976, idrss 764760, isrss 13696)
Apr 13 17:03:28 self: paging: faults 439, reclaims 7563, swaps 0
Apr 13 17:03:28 self: other: inb 759, outb 0, snd 1, rcv 0, sig 0, csw 2072, icsw 1944
Apr 13 17:03:28 chld: resource statistics::
Apr 13 17:03:28 chld: cpu: user 1.277531, system 0.180265
Apr 13 17:03:28 chld: memory: maxrss 43124 (ixrss 189216, idrss 762352, isrss 23552)
Apr 13 17:03:28 chld: paging: faults 13, reclaims 45544, swaps 0
Apr 13 17:03:28 chld: other: inb 0, outb 0, snd 51, rcv 123, sig 0, csw 149, icsw 3211
Modification History:

2021-05-13: Changed the "chmod" commands to CLI equivalent "file change-permission" commands in Solution section under "Working Config"

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search