Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced shell

The admin user seems to have access to some of the directories like /tmp and /dev where it has write access, where as to other directories it has read permission. Even the sudo command is not working and is not present under /bin. What commands are required to edit files under different directories. We are trying to test the websocket configuration in the reverseproxy.conf file under /cfs/waf.

Thanks
Pravash



This thread was automatically locked due to age.
Parents
  • Hi all,

    The SFOS uses a busybox infrastructure of which you do not have root level or full administrative access. There are severe limitations on what you can and cannot do. Editing 90% of the configuration files is restricted and various commands have been removed from busybox outright.

    Unfortunately at this moment of time, if you need sudo/root access to do something you used to be able to on a UTM or any Linux infrastructure, you can't.

    I've raised this issue to support and the consensus is the same, they/we no longer have the power to configure/diagnose/fix complex issues full stop that would require advanced command line access...

    This is hopefully on the books to resolve because I've hit a fair few roadblocks recently wherein I've had to massive overcomplicate what I'm doing just to perform a simple function. Even then the final resolving commands may be blocked.

    Hope that helps, I know it's not the desired answer but it's the only one available right now.

    Emile

  • Thanks a lot EmileBelcourt!! But how does the development team makes those change. Recently there was a certificate issue and they created a single pem file out of the main and chain certificates in the directory where we dont even a have a write permission.

    If they are able to do it then how come the end customer cant?

    Any other alternatives?

    Thanks

    Pravash

Reply
  • Thanks a lot EmileBelcourt!! But how does the development team makes those change. Recently there was a certificate issue and they created a single pem file out of the main and chain certificates in the directory where we dont even a have a write permission.

    If they are able to do it then how come the end customer cant?

    Any other alternatives?

    Thanks

    Pravash

Children
  • Hi Pravesh,

    Development teams in any company will always have the capability to do far more with the software than an end customer will, that's always going to be the case.

    In this environment it's how much control we have over our own purchase to screw it up ourselves because command line is a sure fire way to do that :)

    Hopefully more control is given back, the UTM survived for 15 years having an open root access to the customers but this isn't a decision that the devs make, this will be one that the product management and share holding team will have to make.

    Unfortunately there aren't any other alternatives that I've found but I'm looking forward to the day I can smash open the doors of Busybox and have depthful access again.

    Emile

  • Yes thats what. So if the dev team has access to make changes in a running product suppose mine, then which commands they run? I believe when they login to my XG device, what commands they run to write to a file which we cant. Thats the question? I have a simple configuration which I want to make to see if websocket works in WAF or not. Product management team doesnt have websocket support in the road map for any nearby release. I have a case open from last one year for the same, and now when we have a close solution to test, we can't. Can the dev team help me on this? I had asked this question and they wont. So what options do I have? :)

    Thanks
    Pravash

  • Hi Pravash,

    If you have access to support, that is your only avenue to push this further, I do believe one or two make their way on here so you may get lucky.

    When I was talking about the dev teams and their level of access, I mean access to machines in their development environment that they can open up, not that they can jump onto your box and have a secret stash of commands they can run which you can't.

    If it's not on the roadmap for the nearby release then access to websocket control on the XG may not be possible at all until it is released as this would require re-architecting or updating the existing WAF infrastructure.

    Sadly it's another feature that's on "the pile".

    Emile