Permissions for linux user VAL

Backup agent for Linux servers and workstations on-premises or in the public cloud

Permissions for linux user VAL

Veeam Logoby Peejay62 » Wed Mar 28, 2018 9:54 am

Hi,

is there any overview on what permissions a Linux user should have in order to make VAL fully functional (including the pushed install for the agent package to a client). Documentation states an administrative user. (with sudo rights and nopasswd enabled). For our security policies this is problematic. I am not allowed to use nopasswd for a sudoer who isn't restricted. I need to granularly assign sudo rights and then nopasswd is permitted. If there is an overview of required commands I would be helped a lot. I could create a generic user for VAL deployment and al tasks involved.

thanks, Peter
Peejay62
Expert
 
Posts: 179
Liked: 24 times
Joined: Tue Aug 06, 2013 10:40 am
Full Name: Peter Jansen

Re: Permissions for linux user VAL

Veeam Logoby tsightler » Wed Mar 28, 2018 1:29 pm

The challenge is, if you are able to install packages, you can easily use this capability to bypass any security restriction configured, since installing packages is itself a privileged operation. Not only that, but the agent itself had to run at root level to be able to perform it's functions. However, in testing with RHEL7, I've come up with the following list of commands that seems to work on that platform (I've not tested it on other platforms, I'd expect it might work on RHEL/CentOS just fine, but would certainly need some other tweaks for other platforms):

Code: Select all
Defaults:veeamuser !requiretty
veeamuser ALL=(root) NOPASSWD: /bin/hostname
veeamuser ALL=(root) NOPASSWD: /bin/uname
veeamuser ALL=(root) NOPASSWD: /bin/arch
veeamuser ALL=(root) NOPASSWD: /sbin/dmidecode
veeamuser ALL=(root) NOPASSWD: /bin/cat
veeamuser ALL=(root) NOPASSWD: /bin/test
veeamuser ALL=(root) NOPASSWD: /bin/scp
veeamuser ALL=(root) NOPASSWD: /bin/yum
veeamuser ALL=(root) NOPASSWD: /bin/veeamconfig
veeamuser ALL=(root) NOPASSWD: /usr/bin/veeamconfig

Note that I've only just started testing with this, it seems to work, but there could be things that don't work with this approach. I'm also working on determining what the minimal requirement is if you deploy the agent itself via standard package management vs via the Veeam console. I suspect in that case we can remove the most egregious of these from a security perspective (cat, scp, yum), but I haven't yet completed that testing. Hopefully by the end of the week, at least for RHEL/CentOS.
tsightler
Veeam Software
 
Posts: 5090
Liked: 2011 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Permissions for linux user VAL

Veeam Logoby Peejay62 » Wed Mar 28, 2018 3:23 pm

Already thanks for this fast reply. we run RHEL, I will do some testing to see how this turns out. Fine graining this would be perfect but if this already would fullfill the need for defining a standard Linux(veeam)user that is able to perform the needed tasks I am on the way. I have to deploy a bunch of physical Linux agents shortly. Against all odds, physical server computing isn't gone..

thanks
Peejay62
Expert
 
Posts: 179
Liked: 24 times
Joined: Tue Aug 06, 2013 10:40 am
Full Name: Peter Jansen


Return to Veeam Agent for Linux



Who is online

Users browsing this forum: No registered users and 5 guests