OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Possible issue with Cisco on-line help?
From: Fernando Montenegro (fsmontenegroINAME.COM)
Date: Thu May 04 2000 - 07:04:30 CDT

Hi!

I have received information from Matti Saarinen
<mjscc.tut.fi> explaining how the on-line help can be
configured to show all the commands available (see below).

This explains the apparent lack of authorization control
over the "show" options.

It seems that the only issue left is that there is so much
information available from the non-enabled account.I would
think that, on account of that, the recommendation for
"jailing" the user still applies, though.

Cheers,
Fernando

Extracts from the message received from Matti Saarinen
<mjscc.tut.fi> :

> Router2>show ?> backup Backup status
> cef Cisco Express Forwarding
> clock Display the system clock
> dialer Dialer parameters and statistics
> flash: display information about flash: file>
system
> history Display the session command history>
...>
> Notice that we did not see an "access-lists" option, so
the
> help system thinks we should not be able to run it...
        Yes, you cannot normally see access-lists option in
        the output of the help system.
router>sh ?
  alps Alps information
  atm ATM information
  backup Backup status[cut]

        But when you enable full help the access-lists
option is there
        with many others:
router>terminal full-help
router>sh ?
  access-expression List access expression
  access-lists List access lists
  adjacency Adjacent nodes
  aliases Display alias commands
  alps Alps information
  arp ARP table
  async Information on terminal lines used as
router interfaces
  atm ATM information
  backup Backup status
        And the privilege level was 1 the whole time:
router>sh priv
Current privilege level is 1