:glob enc do={:retu [:conv transform=ro $1]}
:glob enc do={:retu [:conv transform=ro $1]}
[:parse [$enc ":chg uryyb"]]
Friendly repeat.Don't give anyone else access to your device.
Simple.
I am aware of the current restrictions and I do agree with you.But if we ignore the foolhardy use case here. To @holvoetn's point.... Underlying issue of delegated admin is something Mikrotik does not do. Folk do have employees and customer, who may need access to the router but someone may want to restrict what they can do/see on some granular level.
Ahead of the times. VRF and Docker, before either were invented. Left with /container that can't run RouterOS inside it (like MetaROUTER could), but some RouterOS-on-RouterOS certainly be one way to ofuscate things on V6.No one remember MetaROUTER?
If I am the owner and need admin staff to manage my mikrotik, do you think the admin is prohibited from being given access to the mikrotik?Don't give anyone else access to your device.
Simple.
Thank you very much for the answer, I will try to get the results that meet my expectations.Long live Caesar!
Oh for fun. In recent V7, the simplest be to use ":convert transform=rot13" somehow.
One way, make function, to both encode and decode something & ofuscate that code using ROT13 "encryption":Code: Select all:glob enc do={:retu [:conv transform=ro $1]}
Then use that function to encode some code by calling the $enc function:
:put $enc ":put hello"
which get you ":chg uryyb"
Then in your script source you can wrap that obfuscated source you generated:
which will print "hello".Code: Select all:glob enc do={:retu [:conv transform=ro $1]} [:parse [$enc ":chg uryyb"]]
If you need admin staff to manage your router, then you need to trust them with all the info in that router.I am aware of the current restrictions and I do agree with you.But if we ignore the foolhardy use case here. To @holvoetn's point.... Underlying issue of delegated admin is something Mikrotik does not do. Folk do have employees and customer, who may need access to the router but someone may want to restrict what they can do/see on some granular level.
There _should_ be a more granular level of providing access. But that's unfortunately not the case now so ...
Obviously you missed the point here ...Thank you very much for the answer, I will try to get the results that meet my expectations.
Are there any resources I can learn about for remote locking?Put it in a (remote) repository.
Thank you, can you provide the reference link?If decode is remote then decoding needs external access. That needs that the connection to be up.
Here I am the owner of Mikrotik, and I need admin staff to manage, to make it easier to manage the server because I don't only manage this business myself, but there are several businesses that I have to manage and all of them require me to leave the office environment.What could ever be so precious to protect?
If you do not have administrator rights on the RouterBOARD, it means that it is not yours.
If you have that right, remove all other users.
Buy one for yourself and don't let anyone access it.
You can already see how to configure it from the one you already use.
If managing that router means permanent presence, you have another problem.Here I am the owner of Mikrotik, and I need admin staff to manage, to make it easier to manage the server because I don't only manage this business myself, but there are several businesses that I have to manage and all of them require me to leave the office environment.
Sorry, it's not that I don't trust employees, but this is a script that I think is important and confidential. If the admin sells the script that I made to another Mikrotik owner, what should I do?Repeat ...
If you need admin staff to manage your router, then you need to trust them with all the info in that router.
I am aware of the current restrictions and I do agree with you.
There _should_ be a more granular level of providing access. But that's unfortunately not the case now so ...
If you don't trust them, manage the router yourself.
Same thing with giving house keys to cleaning personnel. If you don't trust them, do the cleaning yourself.
One or the other.
Not both.
That's how it is with current way of permissions in RouterOS. Nothing we can do about that.
You really think your script is so unique that nobody every thought about it before ?What could ever be so precious to protect?
You may be right /tool/fetch is allowed & I'm recalling some bug. But there are restrictions with various on-XXX= scripts can do — ironically here, to avoid privilege execution e.g. a lower level user ("write", not "full") used be able to update the PPP/DHCP script, which in previous V7 ran as "full" user permissions (and thus the untrustworth lower-level user could add script that added a new full user to do more).It was suggestion if this is really some "secret" algorithm in script, I'm not using PPPoE, so PPP profile scripts for PPPoE cannot execute fetch to some external service on LAN with some static IP (such service doesn't need to be on some server accessed over WAN) or there are some ROS bugs here?
Netwatch executes scripts as *sys user, so any defined global variable in the Netwatch script will not be readable by for an example a scheduler or other usersIt is possible to disable permission checking for RouterOS scripts under /system/scripts menu. This is useful when Netwatch does not have enough permissions to execute a script, though this decreases overall security. It is recommended to assign proper permissions to a script instead.Netwatch is limited to read,write,test,reboot script policies. If the owner of the script does not have enough permissions to execute a certain command in the script, then the script will not be executed. If the script has greater policies than read,write,test,reboot - then the script will not be executed as well, make sure your scripts do not exceed the mentioned policies.
But they don't doc the restriction at help.mikrotik.com for those. Only netwatch doc has note about — which doesn't mention ftp or romon — but netwatch change is not in any release note...*) console - restrict permissions to "read,write,reboot,ftp,romon,test" for scripts executed by DHCP, Hotspot, PPP and Traffic-Monitor services;