-
- Lurker
- Posts: 2
- Liked: never
- Joined: Nov 11, 2021 2:15 pm
- Full Name: Henrik
- Contact:
enhancement request: running veeam processes as non root on hardened linux repository
Hi,
currently we are building a hardened linux repository and observed that veeam spawns several data mover processes (veeamtransport) on the repo server, some are running as root, others as non root (veeamrepouser) in our case.
We think that running veeamtransport as root is not necessary (because we granted this user write permission on the folder where we want to store the backups) and that it weakens the server.
As a proof of concept we changed User=root to User=veeamrepouser in veeamtransport.service and changed ownership of /var/run/veeamtransport.pid and /var/run/veeamenvironmentsvc.pid to veeamrepouser. Now there are no more veeam processes running as root on the repo server + backups are still running.
Is running veeam as non root on linux repo servers something that might be included in future veeam releases? Does changing the process owner manually to non root void warranty/support or can we do this in the meantime?
regards
Henrik
currently we are building a hardened linux repository and observed that veeam spawns several data mover processes (veeamtransport) on the repo server, some are running as root, others as non root (veeamrepouser) in our case.
We think that running veeamtransport as root is not necessary (because we granted this user write permission on the folder where we want to store the backups) and that it weakens the server.
As a proof of concept we changed User=root to User=veeamrepouser in veeamtransport.service and changed ownership of /var/run/veeamtransport.pid and /var/run/veeamenvironmentsvc.pid to veeamrepouser. Now there are no more veeam processes running as root on the repo server + backups are still running.
Is running veeam as non root on linux repo servers something that might be included in future veeam releases? Does changing the process owner manually to non root void warranty/support or can we do this in the meantime?
regards
Henrik
-
- Product Manager
- Posts: 14963
- Liked: 3158 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: enhancement request: running veeam processes as non root on hardened linux repository
Hello,
and welcome to the forums.
Best regards,
Hannes
and welcome to the forums.
one thing I like to emphasize: the network facing process runs as non-root user.We think that running veeamtransport as root is not necessary
EDIT: and are immutability flags set correctly and also removed?backups are still running
Best regards,
Hannes
-
- Veeam Software
- Posts: 151
- Liked: 38 times
- Joined: Jul 28, 2022 12:57 pm
- Contact:
Re: enhancement request: running veeam processes as non root on hardened linux repository
I'm curious how it will happen if Veeam Transport is not started with a super user to handle immutable attributes (CAP_LINUX_IMMUTABLE)?
Bertrand / TAM EMEA
-
- Product Manager
- Posts: 14963
- Liked: 3158 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: enhancement request: running veeam processes as non root on hardened linux repository
ah correct... the veeamimmureposvc is a child process of veeamtransport... so I expect that the immutability flag is never removed and you will run into issues sooner or later.
I edited my above post to avoid confusion
I edited my above post to avoid confusion
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Nov 11, 2021 2:15 pm
- Full Name: Henrik
- Contact:
Re: enhancement request: running veeam processes as non root on hardened linux repository
well - i should have mentioned, but instead of immutable flags we use daily zfs snapshots (triggered by cron), so our usecase is not ecactly the hardened linux repository from the veeam documentation, we just borrowed the non root user part. What we would like to accomlish is veeam running as non root so that zfs snapshots are as safe as possible.
-
- Product Manager
- Posts: 14963
- Liked: 3158 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: enhancement request: running veeam processes as non root on hardened linux repository
ah, then you can just not use a standard Linux repository and use a non-root user. that results in the datamover being deployed every time via SSH and it runs as non-root user
https://helpcenter.veeam.com/docs/backu ... ml?ver=110
https://helpcenter.veeam.com/docs/backu ... ml?ver=110
Who is online
Users browsing this forum: stephen.mintrom and 87 guests