Signed iRule to allow execution of disabled commands?

Question

Hi,&nbsp;
I'm trying to create an iRule that will call a custom shell script.  However, the "exec" command has been disabled for security purposes.  Is there a way to allow disabled commands that have been disabled to run if the iRule has been digitally signed?&nbsp;
The idea is that the first time a user attempts to log-in, they are given the opportunity to setup TFA if they belong to a particular group.  They are then presented with the QR_CODE to setup their TFA, but I need to write the TFA Secret to a local file, so that it can be referenced in the F5 via iFile.&nbsp;

samstep · Answer

There is no way to run 'exec' from an iRule - that would mean Remote Code Execution vulnerability and performance issues among other considerations why F5 has disabled this and several other commands in TCL. &nbsp;
Digitally signed iRules do not magically enable disabled TCL commands at all - they just allow you to verify the authors of the iRule and that nobody has tampered with the iRule code.&nbsp;
Also there is no way to create/write/modify an iFile from an iRule. You can only read iFiles (actually they are read by TMM into memory on boot or on iFile creation)&nbsp;
Do you really need to write the secret on disk? A better approach would be to store it in a memory table using the 'table' command:&nbsp;
https://devcentral.f5.com/wiki/irules.table.ashx&nbsp;

Forum Discussion

Signed iRule to allow execution of disabled commands?

1 Reply

Recent Discussions

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

Help with URL Masking

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

Related Content

Power of tmsh commands using Ansible

F5 Partners join F5 executives at our Partner Connect event

Oracle WebLogic Deserialization Remote Code Execution

ImageTragick - ImageMagick Remote Code Execution Vulnerability

Logging/Audit Binary Execution?