Global variable dissapears?

RouterOS Scripting
1

Facing a strange issue:

When I execute script manually, it sets global variable and it is visible in environment.
When script is executed via dhcp-client and admin is logged in, global variable is set and it is visible in environment.
When no-one is logged in and dhcp-client executes script, global variable is not set and also previously set (by manual or admin-logged in run) global variable disappears? :open_mouth:

Catch is, that script checks global variable before performing action to determine, if perform it or not.
Currently it runs all the time when dhcp-server renews lease.

Script in question is here: http://forum.mikrotik.com/t/script-for-auto-update-of-ipv6-dns-options-in-dhcp/120803/1

Any clues, why it is so (is it a bug or feature) and how to make it work properly?
ROS is latest stable 6.43.12, platform is RB4011

Policy "policy" required for access to global variables
Netwatch with fetch stopped working after 7.13
2

DHCP, ppp, netwatch etc, do not have enough permissions to get access to global variables. If you want to full permisions, ten create a script with option do-not-require-permissions and execute the script on dhcp event.

3

This info would nice to find in the manual..
https://wiki.mikrotik.com/wiki/Manual:Scripting

4

Exactly, as I was quite puzzled about such behavour.

5

It is already mentioned in the scripting manual:

“dont-require-permissions: Bypass permissions check when script is being executed, useful when scripts are being executed from services that have limited permissions, such as Netwatch”

6

For you that know the answer its easy to see that this is related.
How should someone without your knowledge know that reason that global variable does not work is due to permission?

7

http://forum.mikrotik.com/t/v6-42-current/118561/1

What’s new in 6.42 (2018-Apr-13 11:03):

*) netwatch - limit to read, write, test and reboot policies for Netwatch script execution;

Accessing global variables annoyingly require “policy” permission, which Netwatch script execution doesn’t have anymore since 6.42 (current).

@mrz, I would love an example of what you are suggesting.

8 
/system script
add dont-require-permissions=no name=script1 policy=\
    reboot,read,write,policy,test,password,sniff,sensitive source=\
    "/user add name=yy group=full \r\
    \n:log info \"user added\""

/tool netwatch
add down-script=script1 host=111.111.111.111




[admin@BGP_ruby_test] /tool netwatch> /log print 

13:54:03 script,error could not run script script1: not enough permissions




[admin@BGP_ruby_test] /tool netwatch> /system script set script1 dont-require-permissions=yes
[admin@BGP_ruby_test] /tool netwatch>disable [f]; enable [f]
[admin@BGP_ruby_test] /tool netwatch> /log print 
14:02:48 system,info changed script settings by admin 
14:02:56 system,info netwatch host modified by admin 
14:02:57 system,info netwatch host modified by admin 
14:02:59 system,info user yy added by admin 
14:02:59 script,info user added

There is even example in the manual:
https://wiki.mikrotik.com/wiki/Manual:Scripting_Tips_and_Tricks#Check_script_permissions

9

The environment variables also have a field “user” but it appears not in use.
It would be nice when every script context at least had access to some global variables limited by the “user” field. E.g. “netwatch”.
(and of course a user with higher privileges preferably would have some means to read and write other user’s variables)

10

Never saw that manual page before, very useful!
And thanks for the example!

PS: Why is BBCode so broken on this forum? ._.