Veritas-bu

[Veritas-bu] Managing Netbackup as non-root

2002-10-10 10:41:36
Subject: [Veritas-bu] Managing Netbackup as non-root
From: david AT datastaff DOT com (David A. Chapa)
Date: Thu, 10 Oct 2002 10:41:36 -0400
I can't take credit for this (well I could but-that's just not right), but one 
of my clients has a very slick workaround for #2.

Scott/Mark:  I've sent it to you in a separate email.

What it consists of is some C code (with sticky bit) that calls a script (owned 
by root) to perform a specified task contained within the script.

Works nicely.

David

PS.  If there's a lot of interest in this, I'll post it on my website.
http://www.NetBackupCentral.com

Quoting scott.kendall AT abbott DOT com:

> 
> there is a script provided by veritas that does many of the functions
> mentioned below in excerpt for #4.  it's called nonroot_admin.  look at
> page
> 378 in the 4.5 netbackup unix SAG.
> 
> a lot of files have the group and permissions changed when this script is
> ran,
> but it appears that a lot of things still need root so you'll see a lot of
> files with the set uid bit turned on (which means the filesystem can not be
> mounted with the nosuid option) to allow you to run them as a member of the
> group, but as root.
> 
> you'll also find that this script doesn't change things like logs or
> goodies
> directory, which you'll probably want, or even the bp.conf file (I guess
> they
> want you to always modify this through the netbackup interface).
> 
> I'm struggling with #2 right now on 4.5.  How do you do this David?
> 
> I ran the nonroot_admin script.  As a member of the appropriate group, I
> can
> run /usr/openv/netbackup/bin/goodies/netbackup start (after changing
> permissions on goodies stuff) but I am missing the following process (seen
> with bpps) that I get when I run the same script as root.
> 
> /usr/openv/db/bin/nbdbd --basedir=/usr/openv/db --datadir=/usr/openv/db/var
> --u
> 
> 
> - Scott
> 
> 
> 
>                                                                              
>                                                      
>                     "David A. Chapa"                                         
>                                                      
>                     <david AT datastaff DOT com>                To:    
> markjessup AT northwesternmutual DOT com                                 
>                     Sent by:                             cc:    
> veritas-bu AT mailman.eng.auburn DOT edu                                 
>                     veritas-bu-admin AT mailman DOT eng.        Subject:     
> Re:
> [Veritas-bu] Managing Netbackup as non-root              
>                     auburn.edu                                               
>                                                      
>                                                                              
>                                                      
>                                                                              
>                                                      
>                     10/09/2002 02:59 PM                                      
>                                                      
>                                                                              
>                                                      
>                                                                              
>                                                      
> 
> 
> 
> 
> Mark:
> 
> > 1) Can Netbackup be installed as non-root?
> No, must be root in order to install the product.  However, you can allow
> non-
> root users to "update" existing clients using the scripts.
> 
> > 2) Can Netbackup processes be stopped and started by non-root userids?
> Yes (see #4), or you can use sudo as well.
> 
> > 3) How are other primary contacts for Netbackup supporting the product,
> > Root vs Non-root userids?
> Many of my clients have gone with sudo, its easily scripted and from an
> audit
> perspective everything is logged.
> 
> > 4) Can all Netbackup commands be run with a non-root userid? Is this
> > documented?
> Yes and Yes, page 253 of the NB34 Admin Guide for Unix using Java or here's
> an
> 
> excerpt for the NBU 3.2 Admin Guide:
> 
> ---BEGIN EXCERPT---
> By default, you must be a root user to perform NetBackup administration
> through xbpadm or bpadm. The following procedure describes a method for
> authorizing nonroot users to use these utilities.
> 
> 1. Create a distinct UNIX group (for example, nbadmin).
> 
> 2. Execute the following commands as the root user on the NetBackup master
> server:
> cd /usr/openv/netbackup/bin
> chgrp nbadmin bpadm xbpadm xbpmon initbprd bprd bpdbm xnb
> chmod 4550 bpadm xbpadm xbpmon bprd initbprd bpdbm
> cd admincmd
> chgrp nbadmin *
> ---END EXCERPT---
> 
> 
> David
> 
> Quoting markjessup AT northwesternmutual DOT com:
> 
> > We are in the process of implementing Netbackup 4.5 into a new HP-UX
> > environment.  Our Backup team is a separate group then our Unix Admin
> > team.  There is a move to limit root access to our Unix servers.  This
> > would apply to the Backup team also.
> >
> > My questions are:
> >
> > 1) Can Netbackup be installed as non-root?
> > 2) Can Netbackup processes be stopped and started by non-root userids?
> > 3) How are other primary contacts for Netbackup supporting the product,
> > Root vs Non-root userids?
> > 4) Can all Netbackup commands be run with a non-root userid? Is this
> > documented?
> >
> > Any info on this topic would be greatly appreciated.  Thanks!
> >
> >
> >
> > Mark Jessup
> > IS Manager, Enterprise Storage and Output Management
> > Northwestern Mutual
> > (414) 665-3968
> > markjessup AT northwesternmutual DOT com
> >
> >
> >
> 
> 
> 
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> 
> 
> 
> 




<Prev in Thread] Current Thread [Next in Thread>