Veritas-bu
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Veritas-bu] Netbackup MSEO issue adding tags to netbackup policy

2009-08-10 11:53:27
Subject: Re: [Veritas-bu] Netbackup MSEO issue adding tags to netbackup policy
From: Dave Markham <dave.markham AT fjserv DOT net>
To: dave.markham AT fjserv DOT net
Date: Mon, 10 Aug 2009 16:50:12 +0100 
I think i've found this out myself but it may be useful for people.

I think its a security issue with the console running from remote as the 
admin gui invokes command line parameters when a policy is changing and 
various characters could be used by a non root user running the gui to 
do various things.

I've manually added the keywords with bpplinfo Temp_manual -modify 
-keyword "<mseo ....</mseo>" and on a restart of the gui its appeared.

Hopefully thats correct.

I'm not entirely sure why xml tags could be security issues but i'm not 
in the know there.
Cheers

Dave Markham wrote:
> To add i'm running the gui on the unix server and redirecting it back 
> with X11 through SSH to a terminal server running xming. This is due to 
> another issue i have with the 6.5.4 remote admin gui not working on 
> windows :(
>
> Cheers
>
> Dave Markham wrote:
>   
>> Guys i'm installing and configuring MSEO 6.1 on Netbackup 6.5.4 on 
>> Solaris 10 sparc.
>>
>> This is all on the same box so no separate media servers etc. The 
>> security server and agent for MSEO are both on the same box also. 
>> Communication is working fine.
>>
>> I'm still getting to grips with the policies within MSEO etc, but i'm 
>> just trying to use the default for now to test it works.
>>
>> I've converted the devices and done a backup with no keywords in the 
>> netbackup policy to test backups still work without encryption and the 
>> security server is allowing the agent to work.
>>
>> Now when i put this in the Keyword phrase box of Netbackup gui its 
>> failing with the error below.
>>
>> trying to add
>>
>> <mseo>KeyType=aes256; Compress=lzrw3; </mseo>
>>
>> The error pop up  i get is :-
>>
>> An error occurred while changing policy 'Temp_manual', status 509 Can 
>> not execute program.
>>
>> Looking in netbackup/logs/bpjava-susvc i see the following :-
>>
>> 16:27:15.175 [3170] <2> session_dispatch: fd = 10, currentObj.currSocket 
>> = 10
>> 16:27:15.176 [3170] <2> session_dispatch: tag = 118 = RANDOM_KEY, lines = 1
>> 16:27:15.176 [3170] <2> command_RANDOM_KEY: enableEncryption
>> 16:27:15.178 [3170] <2> session_dispatch: fd = 10, currentObj.currSocket 
>> = 10
>> 16:27:15.178 [3170] <2> session_dispatch: tag = 1 = EXEC_RETURN, lines = 1
>> 16:27:15.178 [3170] <2> sanitary_mb_str: String 
>> ""/usr/openv/netbackup/bin/admincmd/bpgetconfig"  -M xxxxx 
>> VM_PROXY_SERVER " is considered sanitary.
>> 16:27:15.178 [3170] <2> command_EXEC: tag = EXEC_RETURN, lines read = 
>> 0,  buffer = "/usr/openv/netbackup/bin/admincmd/bpgetconfig"  -M xxxxxxx 
>> VM_PROXY_SERVER
>> 16:27:22.438 [3170] <2> session_dispatch: fd = 10, currentObj.currSocket 
>> = 10
>> 16:27:22.438 [3170] <2> session_dispatch: tag = 118 = RANDOM_KEY, lines = 1
>> 16:27:22.438 [3170] <2> command_RANDOM_KEY: enableEncryption
>> 16:27:22.440 [3170] <2> session_dispatch: fd = 10, currentObj.currSocket 
>> = 10
>> 16:27:22.440 [3170] <2> session_dispatch: tag = 234 = BPPLINFO_CMD, 
>> lines = 2
>> 16:27:22.441 [3170] <16> sanitary_mb_str: Found redirection in attempt 
>> without proper path
>> 16:27:22.441 [3170] <32> sanitary_mb_str: String 
>> "/usr/openv/netbackup/bin/admincmd/bpplinfo  Temp_manual -modify 
>> -clienttype Standard -residence "*NULL*" -pool "Temp_manual" -priority 0 
>> -generation 5 -classjobs 2147483647 -keyword "<mseo>KeyType=aes256; 
>> Compress=lzrw3; </mseo>" -data_class *NULL* -res_is_stl 0 -sg "*ANY*" 
>> -active -compress 0 -follownfs 0 -crossmp 0 -collect_tir_info 0 -rfile 0 
>> -encrypt 0 -blkincr 0 -granular_restore_info 0 -tzo 3600 -M xxxxx" is 
>> considered unsanitary.
>> 16:27:22.441 [3170] <16> command_EXEC: Illegal command
>>
>>
>> Anyone any ideas?
>>
>> Cheers
>>
>> P.S just putting any old word in the Keyword phrase works. Its as though 
>> the MSEO tags are not liked.
>>
>> _______________________________________________
>> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
>> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>>
>>
>>   
>>     
>
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>
>
>   

_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Veritas-bu] Netbackup MSEO issue adding tags to netbackup policy, Dave Markham
Next by Date:  Re: [Veritas-bu] Netbackup MSEO issue adding tags to netbackup policy, william . d . brown
Previous by Thread:  Re: [Veritas-bu] Netbackup MSEO issue adding tags to netbackup policy, Dave Markham
Next by Thread:  Re: [Veritas-bu] Netbackup MSEO issue adding tags to netbackup policy, william . d . brown
Indexes:  [Date] [Thread] [Top] [All Lists]