Jump to content
Welcome to our new Citrix community!

Upgrade Netscaler with non superuser


Recommended Posts

15 minutes ago, Thibaut Marconnet said:

I have added a cmdpolicy to a non-superuser account on a netscaler (v11). However, I'm not successful adding the "tar -xzvf builnumber.tgz" and "./installns" to that accound.

Would anyone have an idea how to create such policy? 

Thank you

Hello,

 

Which System Command Policy did you bind to this user?

You need to add the user to SuperUser to update Firmware

 

Thanks

Arnaud

Link to comment
Share on other sites

10 minutes ago, Thibaut Marconnet said:

Hi,

The thing is I don't want to give the admin superuser rights. I just want the admin to be able to update the device when needed but not give it full shell access.

I attempted to add: set system cmdpolicy "shell (tar -xvzf *)"

I'm only using CLI.

 

OK, you want users to do the upgrade using CLI/GUI or both?

 

Thanks

Arnaud

Link to comment
Share on other sites

This is challenging because these are shell commands.

IF you grant access to (^shell.*) then you grant access to a lot more than just upgrades.

You might try it where the user invokes shell from the cli and limit to just the commands you need to specific shell commands; but I don't think the GUI will work without shell.*

 

If you can have a superuser admin who loads the build to the /var/nsinstall/<build> directory for you (and maybe they extract).

Then you might be able to restrict the user to invoking certain shell commands from the cli (not gui):

(^shell "cd /var/nsinstall/thisbuildd/")|(^shell "tar xzvf .*[.]tgz")|(^shell "./installns")

 

But even that might not work. It might still more broad than advisable without additional restrictions or it may not be enough.  As additional prompts to installns may need to be provided to answer the prompts.  Give access to (^shell.*) is too much and trying to restrict it might be tricky to do well.

 

Alternate thought:

What you may have to do instead is have the superuser stage the build in /var/nsinstall/thisbuild.

And then they make the a batch script that would do the upgrade and answer the prompts and stage that in a /var/tempscripts/<scriptname.bat> directory. 

 

Then you only have to give the limited admin access to run the CLI:  batch -filename /var/tempscripts/<scriptname> command. 

I think you can invoke the batch -filename command without necessarily needing additional shell rights. (I can't easily test right now.)

Or even invoke upgrade task via a task in ADM (MAS) or mas and limit that users' rights in ADM.

 

 

 

Link to comment
Share on other sites

8 hours ago, Rhonda Rowland1709152125 said:

This is challenging because these are shell commands.

IF you grant access to (^shell.*) then you grant access to a lot more than just upgrades.

You might try it where the user invokes shell from the cli and limit to just the commands you need to specific shell commands; but I don't think the GUI will work without shell.*

 

If you can have a superuser admin who loads the build to the /var/nsinstall/<build> directory for you (and maybe they extract).

Then you might be able to restrict the user to invoking certain shell commands from the cli (not gui):

(^shell "cd /var/nsinstall/thisbuildd/")|(^shell "tar xzvf .*[.]tgz")|(^shell "./installns")

 

But even that might not work. It might still more broad than advisable without additional restrictions or it may not be enough.  As additional prompts to installns may need to be provided to answer the prompts.  Give access to (^shell.*) is too much and trying to restrict it might be tricky to do well.

 

Alternate thought:

What you may have to do instead is have the superuser stage the build in /var/nsinstall/thisbuild.

And then they make the a batch script that would do the upgrade and answer the prompts and stage that in a /var/tempscripts/<scriptname.bat> directory. 

 

Then you only have to give the limited admin access to run the CLI:  batch -filename /var/tempscripts/<scriptname> command. 

I think you can invoke the batch -filename command without necessarily needing additional shell rights. (I can't easily test right now.)

Or even invoke upgrade task via a task in ADM (MAS) or mas and limit that users' rights in ADM.

 

 

 

I'll give that a try and get back to you. Thank you

Link to comment
Share on other sites

Just now, Rhonda Rowland1709152125 said:

I wasn't sure it was going to work; shell access is kind of dangerous as a result.

Short of granting access to (^shell.*)

I'm not sure you can restrict this enough to be secure and usable. Next week I can spend some time on it and let you know, if someone doesn't give you a better alternative before hand.

Thank you!. I'll keep researching and if I find something I'll come back to let you both know.

I'll also take a look at a script

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...