enhancement request: running veeam processes as non root on hardened linux repository

henrikh · Post by **henrikh** » Jan 23, 2023 11:46 am this post

Hi,

currently we are building a hardened linux repository and observed that veeam spawns several data mover processes (veeamtransport) on the repo server, some are running as root, others as non root (veeamrepouser) in our case.

We think that running veeamtransport as root is not necessary (because we granted this user write permission on the folder where we want to store the backups) and that it weakens the server.

As a proof of concept we changed User=root to User=veeamrepouser in veeamtransport.service and changed ownership of /var/run/veeamtransport.pid and /var/run/veeamenvironmentsvc.pid to veeamrepouser. Now there are no more veeam processes running as root on the repo server + backups are still running.

Is running veeam as non root on linux repo servers something that might be included in future veeam releases? Does changing the process owner manually to non root void warranty/support or can we do this in the meantime?

regards

Henrik

Post by **HannesK** » Jan 24, 2023 9:00 am this post

Hello,
and welcome to the forums.

We think that running veeamtransport as root is not necessary

one thing I like to emphasize: the network facing process runs as non-root user.

backups are still running

EDIT: and are immutability flags set correctly and also removed?

Best regards,
Hannes

Post by **bct44** » Jan 24, 2023 9:25 am this post

I'm curious how it will happen if Veeam Transport is not started with a super user to handle immutable attributes (CAP_LINUX_IMMUTABLE)?

Post by **HannesK** » Jan 24, 2023 9:31 am this post

ah correct... the veeamimmureposvc is a child process of veeamtransport... so I expect that the immutability flag is never removed and you will run into issues sooner or later.

I edited my above post to avoid confusion

henrikh · Post by **henrikh** » Feb 02, 2023 1:58 pm this post

HannesK wrote: ↑Jan 24, 2023 9:00 am

EDIT: and are immutability flags set correctly and also removed?

well - i should have mentioned, but instead of immutable flags we use daily zfs snapshots (triggered by cron), so our usecase is not ecactly the hardened linux repository from the veeam documentation, we just borrowed the non root user part. What we would like to accomlish is veeam running as non root so that zfs snapshots are as safe as possible.

Post by **HannesK** » Feb 02, 2023 2:29 pm this post

ah, then you can just not use a standard Linux repository and use a non-root user. that results in the datamover being deployed every time via SSH and it runs as non-root user

https://helpcenter.veeam.com/docs/backu ... ml?ver=110

R&D Forums

enhancement request: running veeam processes as non root on hardened linux repository

Re: enhancement request: running veeam processes as non root on hardened linux repository

Re: enhancement request: running veeam processes as non root on hardened linux repository

Re: enhancement request: running veeam processes as non root on hardened linux repository

Re: enhancement request: running veeam processes as non root on hardened linux repository

Re: enhancement request: running veeam processes as non root on hardened linux repository

Who is online