Permissions for linux user VAL

[Peejay62]

Hi,

is there any overview on what permissions a Linux user should have in order to make VAL fully functional (including the pushed install for the agent package to a client). Documentation states an administrative user. (with sudo rights and nopasswd enabled). For our security policies this is problematic. I am not allowed to use nopasswd for a sudoer who isn't restricted. I need to granularly assign sudo rights and then nopasswd is permitted. If there is an overview of required commands I would be helped a lot. I could create a generic user for VAL deployment and al tasks involved.

thanks, Peter

[tsightler]

The challenge is, if you are able to install packages, you can easily use this capability to bypass any security restriction configured, since installing packages is itself a privileged operation. Not only that, but the agent itself had to run at root level to be able to perform it's functions. However, in testing with RHEL7, I've come up with the following list of commands that seems to work on that platform (I've not tested it on other platforms, I'd expect it might work on RHEL/CentOS just fine, but would certainly need some other tweaks for other platforms):

Code: Select all

Defaults:veeamuser !requiretty
veeamuser ALL=(root) NOPASSWD: /bin/hostname
veeamuser ALL=(root) NOPASSWD: /bin/uname
veeamuser ALL=(root) NOPASSWD: /bin/arch
veeamuser ALL=(root) NOPASSWD: /sbin/dmidecode
veeamuser ALL=(root) NOPASSWD: /bin/cat
veeamuser ALL=(root) NOPASSWD: /bin/test
veeamuser ALL=(root) NOPASSWD: /bin/scp
veeamuser ALL=(root) NOPASSWD: /bin/yum
veeamuser ALL=(root) NOPASSWD: /bin/veeamconfig
veeamuser ALL=(root) NOPASSWD: /usr/bin/veeamconfig

Note that I've only just started testing with this, it seems to work, but there could be things that don't work with this approach. I'm also working on determining what the minimal requirement is if you deploy the agent itself via standard package management vs via the Veeam console. I suspect in that case we can remove the most egregious of these from a security perspective (cat, scp, yum), but I haven't yet completed that testing. Hopefully by the end of the week, at least for RHEL/CentOS.

[Peejay62]

Already thanks for this fast reply. we run RHEL, I will do some testing to see how this turns out. Fine graining this would be perfect but if this already would fullfill the need for defining a standard Linux(veeam)user that is able to perform the needed tasks I am on the way. I have to deploy a bunch of physical Linux agents shortly. Against all odds, physical server computing isn't gone..

thanks