12-20-2012 12:14 PM - edited 03-20-2019 07:59 PM
I'm getting an odd error, permission denied trying to issue "show config" at user level. We use this throughout the environment with no issues.
IOS: System image file is "flash0:c2900-universalk9-mz.SPA.152-3.T.bin"
R1#sh run | i aaa
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 15 default stop-only group tacacs+
aaa session-id common
R1#sh run | i priv
privilege exec level 1 traceroute
privilege exec level 1 ping
privilege exec level 1 show logging
privilege exec level 1 show configuration
privilege exec level 1 show privilege
privilege exec level 1 show
R1#disable
R1>show config
Using 11855 out of 262136 bytes
%Error opening nvram:/startup-config (Permission denied)
Solved! Go to Solution.
12-20-2012 12:35 PM
You are indeed allowed to run the command (as evidenced by the fact that the command did run).
show config is effectively an alias for the command more nvram:startup-config
As a result, the issue is the permission on the file, not the command itself.
Unfortunately, the file systems do not explicitly support permissions. This used to be implicitly supported through permissions on show config.
Perhaps this is a bug. I'd open a case on this if you need really need this feature.
01-03-2013 06:29 AM
Hello,
I have been facing the same issue and have opened a case. Please find the answer I get from the TAC :
==============================================
This is intended by design as a security measure. Starting in newer releases of IOS, the privilege level for file system access has to be configured separately. There are two options to overcome this:
1) Run the command from the enable prompt.
2) Set the file system privilege level via the config command "file privilege 1".
==============================================
Hope that helps.
Best regards.
Karim
12-20-2012 12:35 PM
You are indeed allowed to run the command (as evidenced by the fact that the command did run).
show config is effectively an alias for the command more nvram:startup-config
As a result, the issue is the permission on the file, not the command itself.
Unfortunately, the file systems do not explicitly support permissions. This used to be implicitly supported through permissions on show config.
Perhaps this is a bug. I'd open a case on this if you need really need this feature.
12-20-2012 12:40 PM
Thank you Phillip. I agree, I think this may be a bug. I'm in the process of adding the customer contract to my CCO account to pursue a TAC case. I'll let the discussion boards know the outcome. Thanks again.
01-03-2013 06:29 AM
Hello,
I have been facing the same issue and have opened a case. Please find the answer I get from the TAC :
==============================================
This is intended by design as a security measure. Starting in newer releases of IOS, the privilege level for file system access has to be configured separately. There are two options to overcome this:
1) Run the command from the enable prompt.
2) Set the file system privilege level via the config command "file privilege 1".
==============================================
Hope that helps.
Best regards.
Karim
01-03-2013 09:23 AM
Thanksfor your input. Yes, Cisco TAC confirmed that there is a bug ID documenting this, CSCty30604.
09-23-2016 04:04 AM
I was running into the same problem and solution for me was to not define the tftp path, so basically i kept typing the following:
copy crashinfo:... tftp:c:\temp
then IP
instead of;
copy crashinfo:... tftp:
with out the path because my tftp is configured to store everything in c:\temp
then IP, that worked for me.
hope it helps :)
02-27-2024 05:22 PM
Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide