Veritas-bu

[Veritas-bu] Managing Netbackup as non-root

2002-10-10 09:28:39
Subject: [Veritas-bu] Managing Netbackup as non-root
From: mikekiles AT yahoo DOT com (mkiles)
Date: Thu, 10 Oct 2002 06:28:39 -0700 (PDT)
I have created a user NetBackup and added in
/usr/openv/java/auth.conf file, this user can do
almost anything root can. No need to change anything
else.
e.g.
#cat auth.conf
root ADMIN=ALL JBP=ALL
NetBackup ADMIN=ALL JBP=ALL


--- scott.kendall AT abbott DOT com wrote:
> 
> there is a script provided by veritas that does many
> of the functions
> mentioned below in excerpt for #4.  it's called
> nonroot_admin.  look at page
> 378 in the 4.5 netbackup unix SAG.
> 
> a lot of files have the group and permissions
> changed when this script is ran,
> but it appears that a lot of things still need root
> so you'll see a lot of
> files with the set uid bit turned on (which means
> the filesystem can not be
> mounted with the nosuid option) to allow you to run
> them as a member of the
> group, but as root.
> 
> you'll also find that this script doesn't change
> things like logs or goodies
> directory, which you'll probably want, or even the
> bp.conf file (I guess they
> want you to always modify this through the netbackup
> interface).
> 
> I'm struggling with #2 right now on 4.5.  How do you
> do this David?
> 
> I ran the nonroot_admin script.  As a member of the
> appropriate group, I can
> run /usr/openv/netbackup/bin/goodies/netbackup start
> (after changing
> permissions on goodies stuff) but I am missing the
> following process (seen
> with bpps) that I get when I run the same script as
> root.
> 
> /usr/openv/db/bin/nbdbd --basedir=/usr/openv/db
> --datadir=/usr/openv/db/var
> --u
> 
> 
> - Scott
> 
> 
> 
>                                                     
>                                                     
>                          
>                     "David A. Chapa"                
>                                                     
>                          
>                     <david AT datastaff DOT com>           
>     To:     markjessup AT northwesternmutual DOT com       
>                          
>                     Sent by:                        
>     cc:     veritas-bu AT mailman.eng.auburn DOT edu       
>                          
>                     veritas-bu-admin AT mailman DOT eng.   
>     Subject:     Re: [Veritas-bu] Managing Netbackup
> as non-root              
>                     auburn.edu                      
>                                                     
>                          
>                                                     
>                                                     
>                          
>                                                     
>                                                     
>                          
>                     10/09/2002 02:59 PM             
>                                                     
>                          
>                                                     
>                                                     
>                          
>                                                     
>                                                     
>                          
> 
> 
> 
> 
> Mark:
> 
> > 1) Can Netbackup be installed as non-root?
> No, must be root in order to install the product. 
> However, you can allow non-
> root users to "update" existing clients using the
> scripts.
> 
> > 2) Can Netbackup processes be stopped and started
> by non-root userids?
> Yes (see #4), or you can use sudo as well.
> 
> > 3) How are other primary contacts for Netbackup
> supporting the product,
> > Root vs Non-root userids?
> Many of my clients have gone with sudo, its easily
> scripted and from an audit
> perspective everything is logged.
> 
> > 4) Can all Netbackup commands be run with a
> non-root userid? Is this
> > documented?
> Yes and Yes, page 253 of the NB34 Admin Guide for
> Unix using Java or here's an
> 
> excerpt for the NBU 3.2 Admin Guide:
> 
> ---BEGIN EXCERPT---
> By default, you must be a root user to perform
> NetBackup administration
> through xbpadm or bpadm. The following procedure
> describes a method for
> authorizing nonroot users to use these utilities.
> 
> 1. Create a distinct UNIX group (for example,
> nbadmin).
> 
> 2. Execute the following commands as the root user
> on the NetBackup master
> server:
> cd /usr/openv/netbackup/bin
> chgrp nbadmin bpadm xbpadm xbpmon initbprd bprd
> bpdbm xnb
> chmod 4550 bpadm xbpadm xbpmon bprd initbprd bpdbm
> cd admincmd
> chgrp nbadmin *
> ---END EXCERPT---
> 
> 
> David
> 
> Quoting markjessup AT northwesternmutual DOT com:
> 
> > We are in the process of implementing Netbackup
> 4.5 into a new HP-UX
> > environment.  Our Backup team is a separate group
> then our Unix Admin
> > team.  There is a move to limit root access to our
> Unix servers.  This
> > would apply to the Backup team also.
> >
> > My questions are:
> >
> > 1) Can Netbackup be installed as non-root?
> > 2) Can Netbackup processes be stopped and started
> by non-root userids?
> > 3) How are other primary contacts for Netbackup
> supporting the product,
> > Root vs Non-root userids?
> > 4) Can all Netbackup commands be run with a
> non-root userid? Is this
> > documented?
> >
> > Any info on this topic would be greatly
> appreciated.  Thanks!
> >
> >
> >
> > Mark Jessup
> > IS Manager, Enterprise Storage and Output
> Management
> > Northwestern Mutual
> > (414) 665-3968
> > markjessup AT northwesternmutual DOT com
> >
> >
> >
> 
> 
> 
> _______________________________________________
> Veritas-bu maillist  - 
> Veritas-bu AT mailman.eng.auburn DOT edu
>
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> 
> 
> 
> 
> _______________________________________________
> Veritas-bu maillist  - 
> Veritas-bu AT mailman.eng.auburn DOT edu
>
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu


__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com

<Prev in Thread] Current Thread [Next in Thread>