Forum Discussion

Distance_Vector's avatar
Distance_Vector
Icon for Nimbostratus rankNimbostratus
Mar 05, 2012

permission denied when trying to save config as radius authenticated user in tmsh

Hello,

 

 

I'm authenticated as a radius user (Role Administrator):

 

 

 

[iz@ibd-lb211c:/S1-green-P:Active] ~ $ id

 

uid=499(f5_remoteuser) gid=499(f5_remoteuser) groups=499(f5_remoteuser) context=user_u:system_r:unconfined_t

 

 

[iz@ibd-lb211c:/S1-green-P:Active] ~ $ echo $REMOTEROLE

 

0

 

 

However, I can't save the configuration from tmsh:

 

 

iz@ibd-lb211c(/S1-green-P:Active)(/Common)(tmos.auth) save /sys config

 

Unexpected Error: Can't create tmsh temp directory "/config/.config.backup" Permission denied

 

 

It is clear, why: root owns /config and UID 499 doesn't have permission to write there.

 

 

So in the next step, I created /config/.config.backup and gave UID 499 permission to write it.

 

 

Now I get:

 

 

iz@ibd-lb211c(/S1-green-P:Active)(/Common)(tmos.auth) save /sys config

 

mv: cannot move `/config/bigip.conf' to `/config/.config.backup/Kai02H/bigip.conf': Permission denied

 

"mv -f /config/bigip.conf /config/.config.backup/Kai02H/bigip.conf": Unknown error 256

 

Unexpected Error: Can't backup the existing file "/config/bigip.conf", to "/config/.config.backup/Kai02H/bigip.conf", File exists

 

 

Obviously tmsh doesn't communicate to a daemon process which then writes the config, instead tmsh itself attempts to write the config directly. However, I am logged in as Administrator and want to be able to just write the config from tmsh.

 

 

Does anyone has an idea what I could do to make it working?

 

 

 

Thanks,

 

D

 

1 Reply

  • btw here is the workaround I'm currently using:

     
    proc script::run {} {
        puts -nonewline "password: "
        flush stdout
        catch { exec /bin/su -c "tmsh save /sys config" } output
        puts ""
        set output [string map { "Password:" "" } $output]
        puts $output
        return 0
    }
    

    So I can as a radius user run that script which calls su which calls tmsh (as root) and does the save. This works but is insufficient. I'd need a solution without being asked for the root password.