The goal is to use as little sudo commands as possible for security reasons. Right now (11.0.0.837 P20210507) the installation and operation of a Linux Proxy uses way too many sudo commands. In fact, Veeam asks for the sudo blanko checque which our Unix engineering team does only grudgingly approve of!
Here's what we did: on the Linux Server that was to serve as Linux Proxy we configured a user for the Linux Proxy which could login with SSH keys. Then we started the installation of the Veeam Proxy from the Veeam Console without any sudo commands allowed. All sudo attempts were logged and with each new attempt we gradually gave the proxy user more commands he was able to execute with sudo.
The same approach was taken for the operation of the Linux Proxy for File Level Restores.
In the end we had a working Linux Proxy with a defined set of sudo commands added to the sudoers configuration. But in our opinion most of the commands absolutely do not need to be executed as root!
Are we the only ones that don't like the sudo blanko checque that is basically requested?
Resulting set of working sudoer configuration:
Code: Select all
# commands necessary for the installation of the Veeam Linux Proxy
linux_user ALL = NOPASSWD: /bin/whoami
linux_user ALL = NOPASSWD: /bin/uname *
linux_user ALL = NOPASSWD: /bin/arch
linux_user ALL = NOPASSWD: /bin/firewall-cmd --version
linux_user ALL = NOPASSWD: /usr/sbin/iptables *
linux_user ALL = NOPASSWD: /bin/ls *
linux_user ALL = NOPASSWD: /bin/rm * /tmp/VeeamAgent*
linux_user ALL = NOPASSWD: /bin/rm * /opt/veeam/*
linux_user ALL = NOPASSWD: /bin/rm * /home/veeamlnx_proxy/*
linux_user ALL = NOPASSWD: /bin/touch /tmp/VeeamAgent*
linux_user ALL = NOPASSWD: /bin/touch /opt/veeam/*
linux_user ALL = NOPASSWD: /bin/rmdir /opt/veeam/*
linux_user ALL = NOPASSWD: /bin/mkdir * /opt/*
linux_user ALL = NOPASSWD: /bin/[ -d /tmp/ ]
linux_user ALL = NOPASSWD: /bin/chmod * /tmp/VeeamAgent*
linux_user ALL = NOPASSWD: /bin/chmod * /opt/veeam/*
linux_user ALL = NOPASSWD: /bin/cp * /home/veeamlnx_proxy/* /tmp/*
linux_user ALL = NOPASSWD: /bin/cp * /home/veeamlnx_proxy/* /opt/veeam/*
linux_user ALL = NOPASSWD: /tmp/VeeamAgent*
linux_user ALL = NOPASSWD: /bin/ps *
linux_user ALL = NOPASSWD: /bin/tar * /opt/veeam/*
linux_user ALL = NOPASSWD: /opt/veeam/transport/veeamtransport *
# commands necessary for the operation of the Veeam Linux Proxy
linux_user ALL = NOPASSWD: /bin/test -e /var/tmp
linux_user ALL = NOPASSWD: /bin/test -e /var/log/VeeamBackup
linux_user ALL = NOPASSWD: /bin/touch /tmp/*_vblkid
linux_user ALL = NOPASSWD: /bin/id -u
linux_user ALL = NOPASSWD: /bin/cp *
linux_user ALL = NOPASSWD: /sbin/blkid
linux_user ALL = NOPASSWD: /bin/chmod * /tmp/*_vblkid
linux_user ALL = NOPASSWD: /bin/tar
linux_user ALL = NOPASSWD: /bin/cat /proc/self/mountinfo
linux_user ALL = NOPASSWD: /bin/mount
linux_user ALL = NOPASSWD: /tmp/*
linux_user ALL = NOPASSWD: /bin/rm * /tmp/*_vblki
linux_user ALL = NOPASSWD: /usr/sbin/lvs
linux_user ALL = NOPASSWD: /bin/test -e /tmp/*
linux_user ALL = NOPASSWD: /bin/cat /tmp/Veeam.Mount*