Backup agent for Linux servers and workstations on-premises or in the public cloud
Post Reply
Peejay62
Expert
Posts: 181
Liked: 24 times
Joined: Aug 06, 2013 10:40 am
Full Name: Peter Jansen
Contact:

Permissions for linux user VAL

Post by Peejay62 » Mar 28, 2018 9:54 am

Hi,

is there any overview on what permissions a Linux user should have in order to make VAL fully functional (including the pushed install for the agent package to a client). Documentation states an administrative user. (with sudo rights and nopasswd enabled). For our security policies this is problematic. I am not allowed to use nopasswd for a sudoer who isn't restricted. I need to granularly assign sudo rights and then nopasswd is permitted. If there is an overview of required commands I would be helped a lot. I could create a generic user for VAL deployment and al tasks involved.

thanks, Peter

tsightler
Veeam Software
Posts: 5195
Liked: 2078 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Permissions for linux user VAL

Post by tsightler » Mar 28, 2018 1:29 pm

The challenge is, if you are able to install packages, you can easily use this capability to bypass any security restriction configured, since installing packages is itself a privileged operation. Not only that, but the agent itself had to run at root level to be able to perform it's functions. However, in testing with RHEL7, I've come up with the following list of commands that seems to work on that platform (I've not tested it on other platforms, I'd expect it might work on RHEL/CentOS just fine, but would certainly need some other tweaks for other platforms):

Code: Select all

Defaults:veeamuser !requiretty
veeamuser ALL=(root) NOPASSWD: /bin/hostname
veeamuser ALL=(root) NOPASSWD: /bin/uname
veeamuser ALL=(root) NOPASSWD: /bin/arch
veeamuser ALL=(root) NOPASSWD: /sbin/dmidecode
veeamuser ALL=(root) NOPASSWD: /bin/cat
veeamuser ALL=(root) NOPASSWD: /bin/test
veeamuser ALL=(root) NOPASSWD: /bin/scp
veeamuser ALL=(root) NOPASSWD: /bin/yum
veeamuser ALL=(root) NOPASSWD: /bin/veeamconfig
veeamuser ALL=(root) NOPASSWD: /usr/bin/veeamconfig
Note that I've only just started testing with this, it seems to work, but there could be things that don't work with this approach. I'm also working on determining what the minimal requirement is if you deploy the agent itself via standard package management vs via the Veeam console. I suspect in that case we can remove the most egregious of these from a security perspective (cat, scp, yum), but I haven't yet completed that testing. Hopefully by the end of the week, at least for RHEL/CentOS.

Peejay62
Expert
Posts: 181
Liked: 24 times
Joined: Aug 06, 2013 10:40 am
Full Name: Peter Jansen
Contact:

Re: Permissions for linux user VAL

Post by Peejay62 » Mar 28, 2018 3:23 pm

Already thanks for this fast reply. we run RHEL, I will do some testing to see how this turns out. Fine graining this would be perfect but if this already would fullfill the need for defining a standard Linux(veeam)user that is able to perform the needed tasks I am on the way. I have to deploy a bunch of physical Linux agents shortly. Against all odds, physical server computing isn't gone..

thanks

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests