On juniper switches is something like root user. Are there any things that must be done from that user?
For what root user can be usefull? Or isn't usefull, and can be safetly disabled?
Switch – Is the Root User on Juniper Switches Useful?
access-controljuniper-junosswitch
Best Answer
Ryan is correct, you can do absolutely anything from root. JUNOS is built on FreeBSD and inherits that behavior. But to be honest, it's rarely used directly.
The biggest practical example I can think of offhand would be to collect core files from devices without another type of authentication, whether its due to a configuration issue or maybe you have redundant routing engines or a virtual chassis setup. Non-master members don't authenticate with the network, so should you need to get into a member device to collect files, you could use root access in the shell to get those files.
When you first start up any Juniper device, you CANNOT commit your first configuration without root-authentication set, so you are forced to have a root password set. I guess you could think of it as a failsafe, should everything break.
However, you can disable your users from starting a shell with root privileges with login classes.
https://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-admin-guide/login-classes.html
There are a couple of ways to do it, but one example would be:
set system login class class_name deny-commands "(^start shell$)"
Another:
set system login class class_name permissions permission_bits_to_set
If you EXCLUDE "maintenance" as a permission bit, they will not be able to become the superuser (root).