Forum Discussion

Distance_Vector's avatar
Icon for Nimbostratus rankNimbostratus
Mar 05, 2012

permission denied when trying to save config as radius authenticated user in tmsh




I'm authenticated as a radius user (Role Administrator):




[iz@ibd-lb211c:/S1-green-P:Active] ~ $ id


uid=499(f5_remoteuser) gid=499(f5_remoteuser) groups=499(f5_remoteuser) context=user_u:system_r:unconfined_t



[iz@ibd-lb211c:/S1-green-P:Active] ~ $ echo $REMOTEROLE





However, I can't save the configuration from tmsh:



iz@ibd-lb211c(/S1-green-P:Active)(/Common)(tmos.auth) save /sys config


Unexpected Error: Can't create tmsh temp directory "/config/.config.backup" Permission denied



It is clear, why: root owns /config and UID 499 doesn't have permission to write there.



So in the next step, I created /config/.config.backup and gave UID 499 permission to write it.



Now I get:



iz@ibd-lb211c(/S1-green-P:Active)(/Common)(tmos.auth) save /sys config


mv: cannot move `/config/bigip.conf' to `/config/.config.backup/Kai02H/bigip.conf': Permission denied


"mv -f /config/bigip.conf /config/.config.backup/Kai02H/bigip.conf": Unknown error 256


Unexpected Error: Can't backup the existing file "/config/bigip.conf", to "/config/.config.backup/Kai02H/bigip.conf", File exists



Obviously tmsh doesn't communicate to a daemon process which then writes the config, instead tmsh itself attempts to write the config directly. However, I am logged in as Administrator and want to be able to just write the config from tmsh.



Does anyone has an idea what I could do to make it working?








1 Reply

  • btw here is the workaround I'm currently using:

    proc script::run {} {
        puts -nonewline "password: "
        flush stdout
        catch { exec /bin/su -c "tmsh save /sys config" } output
        puts ""
        set output [string map { "Password:" "" } $output]
        puts $output
        return 0

    So I can as a radius user run that script which calls su which calls tmsh (as root) and does the save. This works but is insufficient. I'd need a solution without being asked for the root password.