Is there a way to limit a user login to run script only?
I frequently run into the case where I want to allow someone to run a script on some of my routerboards, and I don’t want them to be able to do or see any other parts of the config.
The scripts could be of the kind ‘wakeOnLanFtpServer’, or ‘EnableWLANGuestSSID’.
Basically things that could be done using a webserver, but I’d prefer if this does not require an extra box.
Maybe it could be solved using metarouter, running a virtual webserver that ssh’es some commands to the physical router?
Maybe it could be done by using webconfig skins?
You cannot use authorisations for it as the authorisation concept is very poor.
But you can try to fool the user by its custom skin attached to his special user group. Hope he will use the webfig to operate the scripts.
You could create a custom interface via the API protocol, which would do only that.
The user would connect either without authorization, or with some custom credentials (different from the RouterOS credentials), and your app would in turn connect with the RouterOS credentials, and run the script.
The only downside is that unless you have MetaRouter, you need an additional device in the mix.
Sometimes user cannot log in. Giving the group write permission makes the login stable. But I don’t want the user to have write permission. Having just read and web permission, the user randomly cannot log in.
Another issue is that script randomly is not executed. I’m testing with scripts that enables / disables wlan interface. RouterOS log shows “device changed by admin” when this non-admin user runs the script, even if the script did not succeed in changing the interface. When script fail to enable/disable the interface, I can make a change to the user group permission, and the script will work (until it stops working.) It does not matter what I change with the permission, any change will solve the problem temporary, even change to something else - and back to the original permissions solves the problem temporary. Giving the group ALL permissions did not make the execution stable.
scripts look like this:
/interface wireless enable [find name=wlandmz]
/interface wireless disable [find name=wlandmz]
Script policy is set to write,read
Owner is admin
The user is member of the group “mon”.
Group has permission read,web
The runner of the script needs to have sufficient permissions too. It’s not enough that the owner and script have sufficient permissions. Permissions are only restricted, never expanded, so the combination you have essentially leaves the running script with just “read” permissions.
Then, how come it works randomly? If a command in the script requires write, how come the user with read only access can run it most of the time?
And, when the script owned by admin is run by a read only user, why does the log show that the “device was changed by admin”? And why does this log entry appear even when the command fail and nothing was changed?
It would seem that MikroTik has started, but not finished, a change to their permission algorithm. They probably intended to have it as you’d expect - the less privileged user can run a high privilege script if the script owner is high privileged - but SOME of the code around that is still working with the old assumptions, perhaps including some kernel based stuff (hence why it’s just “sometimes”).
Or in other words - you’re experiencing a bug. I suggest you contact support with a detailed explanation, including the problematic script.