Re: [Veritas-bu] Netbackup MSEO issue adding tags to netbackup policy

I think you are correct.  I also found that you cannot add the special 
barcode rules <NONE> and <DEFAULT> through the GUI any more, as the angle 
brackets upset the new filters on what is allowed in the CLI commands that 
it creates.

William D L Brown


veritas-bu-bounces AT mailman.eng.auburn DOT edu wrote on 10/08/2009 16:50:12:

> I think i've found this out myself but it may be useful for people.
> 
> I think its a security issue with the console running from remote as the 

> admin gui invokes command line parameters when a policy is changing and 
> various characters could be used by a non root user running the gui to 
> do various things.
> 
> I've manually added the keywords with bpplinfo Temp_manual -modify 
> -keyword "<mseo ....</mseo>" and on a restart of the gui its appeared.
> 
> Hopefully thats correct.
> 
> I'm not entirely sure why xml tags could be security issues but i'm not 
> in the know there.
> Cheers
> 
> Dave Markham wrote:
> > To add i'm running the gui on the unix server and redirecting it back 
> > with X11 through SSH to a terminal server running xming. This is due 
to 
> > another issue i have with the 6.5.4 remote admin gui not working on 
> > windows :(
> >
> > Cheers
> >
> > Dave Markham wrote:
> > 
> >> Guys i'm installing and configuring MSEO 6.1 on Netbackup 6.5.4 on 
> >> Solaris 10 sparc.
> >>
> >> This is all on the same box so no separate media servers etc. The 
> >> security server and agent for MSEO are both on the same box also. 
> >> Communication is working fine.
> >>
> >> I'm still getting to grips with the policies within MSEO etc, but i'm 

> >> just trying to use the default for now to test it works.
> >>
> >> I've converted the devices and done a backup with no keywords in the 
> >> netbackup policy to test backups still work without encryption and 
the 
> >> security server is allowing the agent to work.
> >>
> >> Now when i put this in the Keyword phrase box of Netbackup gui its 
> >> failing with the error below.
> >>
> >> trying to add
> >>
> >> <mseo>KeyType=aes256; Compress=lzrw3; </mseo>
> >>
> >> The error pop up  i get is :-
> >>
> >> An error occurred while changing policy 'Temp_manual', status 509 Can 

> >> not execute program.
> >>
> >> Looking in netbackup/logs/bpjava-susvc i see the following :-
> >>
> >> 16:27:15.175 [3170] <2> session_dispatch: fd = 10, 
currentObj.currSocket 
> >> = 10
> >> 16:27:15.176 [3170] <2> session_dispatch: tag = 118 = 
RANDOM_KEY,lines = 1
> >> 16:27:15.176 [3170] <2> command_RANDOM_KEY: enableEncryption
> >> 16:27:15.178 [3170] <2> session_dispatch: fd = 10, 
currentObj.currSocket 
> >> = 10
> >> 16:27:15.178 [3170] <2> session_dispatch: tag = 1 = EXEC_RETURN, 
lines = 1
> >> 16:27:15.178 [3170] <2> sanitary_mb_str: String 
> >> ""/usr/openv/netbackup/bin/admincmd/bpgetconfig"  -M xxxxx 
> >> VM_PROXY_SERVER " is considered sanitary.
> >> 16:27:15.178 [3170] <2> command_EXEC: tag = EXEC_RETURN, lines read = 

> >> 0,  buffer = "/usr/openv/netbackup/bin/admincmd/bpgetconfig"  -M 
xxxxxxx 
> >> VM_PROXY_SERVER
> >> 16:27:22.438 [3170] <2> session_dispatch: fd = 10, 
currentObj.currSocket 
> >> = 10
> >> 16:27:22.438 [3170] <2> session_dispatch: tag = 118 = 
RANDOM_KEY,lines = 1
> >> 16:27:22.438 [3170] <2> command_RANDOM_KEY: enableEncryption
> >> 16:27:22.440 [3170] <2> session_dispatch: fd = 10, 
currentObj.currSocket 
> >> = 10
> >> 16:27:22.440 [3170] <2> session_dispatch: tag = 234 = BPPLINFO_CMD, 
> >> lines = 2
> >> 16:27:22.441 [3170] <16> sanitary_mb_str: Found redirection in 
attempt 
> >> without proper path
> >> 16:27:22.441 [3170] <32> sanitary_mb_str: String 
> >> "/usr/openv/netbackup/bin/admincmd/bpplinfo  Temp_manual -modify 
> >> -clienttype Standard -residence "*NULL*" -pool "Temp_manual" 
-priority 0 
> >> -generation 5 -classjobs 2147483647 -keyword "<mseo>KeyType=aes256; 
> >> Compress=lzrw3; </mseo>" -data_class *NULL* -res_is_stl 0 -sg "*ANY*" 

> >> -active -compress 0 -follownfs 0 -crossmp 0 -collect_tir_info 0 
-rfile 0 
> >> -encrypt 0 -blkincr 0 -granular_restore_info 0 -tzo 3600 -M xxxxx" is 

> >> considered unsanitary.
> >> 16:27:22.441 [3170] <16> command_EXEC: Illegal command
> >>
> >>
> >> Anyone any ideas?
> >>
> >> Cheers
> >>
> >> P.S just putting any old word in the Keyword phrase works. Its as 
though 
> >> the MSEO tags are not liked.
> >>
> >> _______________________________________________
> >> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> >> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> >>
> >>
> >> 
> >> 
> >
> > _______________________________________________
> > Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> > http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> >
> >
> > 
> 
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> 


-----------------------------------------------------------
This e-mail was sent by GlaxoSmithKline Services Unlimited 
(registered in England and Wales No. 1047315), which is a 
member of the GlaxoSmithKline group of companies. The 
registered address of GlaxoSmithKline Services Unlimited 
is 980 Great West Road, Brentford, Middlesex TW8 9GS.
-----------------------------------------------------------

_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu