Comprehensive data protection for all workloads
Post Reply
steelnwool
Enthusiast
Posts: 30
Liked: 1 time
Joined: Sep 03, 2010 4:44 pm
Full Name: Jeff MacDonald
Contact:

Least Privilege Sudo

Post by steelnwool »

Hi,

Is there a list of commands that Veeam might run when it connects to a linux machines? I'd like to use this list so that I can tie SUDO down as much as possible for the veeam specific user.

Thanks.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Least Privilege Sudo

Post by Vitaliy S. »

Do you refer to backup repositories or backed up VMs?
steelnwool
Enthusiast
Posts: 30
Liked: 1 time
Joined: Sep 03, 2010 4:44 pm
Full Name: Jeff MacDonald
Contact:

Re: Least Privilege Sudo

Post by steelnwool »

Backed up vms. ie so the backup server can ssh into a host, sudo to root and then install the command to index files.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Least Privilege Sudo

Post by Vitaliy S. »

Got it! Unfortunately, we don't have this list handy, but when doing indexing this user account should definitely have access to all partitions and execution permissions.

P.S. let me ask our dev team to find this out.
Gostev
Chief Product Officer
Posts: 31457
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Least Privilege Sudo

Post by Gostev »

We definitely use mlocate for indexing, and I would assume tar/gz to compress index data before the job collects the package. We asked devs to collect the full list of commands, but it may take a few days.
steelnwool
Enthusiast
Posts: 30
Liked: 1 time
Joined: Sep 03, 2010 4:44 pm
Full Name: Jeff MacDonald
Contact:

Re: Least Privilege Sudo

Post by steelnwool »

I guess this means that it does a sudo -s , and not sudo _somecommandhere_ ?
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Least Privilege Sudo

Post by Vitaliy S. »

Jeff,

I have discussed it with our dev team again. Our indexing is performed via script that has a random GUID every time you launch your backup job, so adding it to an "allowed commands" list currently is not possible.

Thanks!
steelnwool
Enthusiast
Posts: 30
Liked: 1 time
Joined: Sep 03, 2010 4:44 pm
Full Name: Jeff MacDonald
Contact:

Re: Least Privilege Sudo

Post by steelnwool »

Thats exactly what I needed to know. Thanks!
jgh
Novice
Posts: 6
Liked: never
Joined: Mar 10, 2016 11:10 pm
Contact:

Re: Least Privilege Sudo

Post by jgh »

steelnwool wrote:Hi,

Is there a list of commands that Veeam might run when it connects to a linux machines? I'd like to use this list so that I can tie SUDO down as much as possible for the veeam specific user.

Thanks.
Have you had any success in limiting sudo? Right now this is what I have:

Code: Select all

Defaults:svc-veeam-guest!requiretty
Cmnd_Alias VEEAM_FLR = /bin/uname, /usr/bin/scp, /bin/arch, /bin/mount, /bin/sh, /bin/rm, /tmp/*
svc-veeam-guest ALL=(ALL) NOPASSWD: VEEAM_FLR 
This is still to open and insecure in my experience. I would like to resolve the /bin/rm and /tmp/* inclusions to be more limited.

Thanks!
-jgh
Post Reply

Who is online

Users browsing this forum: Bing [Bot], TonioRoffo and 279 guests