[Veritas-bu] Managing Netbackup as non-root
2002-10-10 10:41:36
Subject: |
[Veritas-bu] Managing Netbackup as non-root |
From: |
david AT datastaff DOT com (David A. Chapa) |
Date: |
Thu, 10 Oct 2002 10:41:36 -0400 |
I can't take credit for this (well I could but-that's just not right), but one
of my clients has a very slick workaround for #2.
Scott/Mark: I've sent it to you in a separate email.
What it consists of is some C code (with sticky bit) that calls a script (owned
by root) to perform a specified task contained within the script.
Works nicely.
David
PS. If there's a lot of interest in this, I'll post it on my website.
http://www.NetBackupCentral.com
Quoting scott.kendall AT abbott DOT com:
>
> there is a script provided by veritas that does many of the functions
> mentioned below in excerpt for #4. it's called nonroot_admin. look at
> page
> 378 in the 4.5 netbackup unix SAG.
>
> a lot of files have the group and permissions changed when this script is
> ran,
> but it appears that a lot of things still need root so you'll see a lot of
> files with the set uid bit turned on (which means the filesystem can not be
> mounted with the nosuid option) to allow you to run them as a member of the
> group, but as root.
>
> you'll also find that this script doesn't change things like logs or
> goodies
> directory, which you'll probably want, or even the bp.conf file (I guess
> they
> want you to always modify this through the netbackup interface).
>
> I'm struggling with #2 right now on 4.5. How do you do this David?
>
> I ran the nonroot_admin script. As a member of the appropriate group, I
> can
> run /usr/openv/netbackup/bin/goodies/netbackup start (after changing
> permissions on goodies stuff) but I am missing the following process (seen
> with bpps) that I get when I run the same script as root.
>
> /usr/openv/db/bin/nbdbd --basedir=/usr/openv/db --datadir=/usr/openv/db/var
> --u
>
>
> - Scott
>
>
>
>
>
> "David A. Chapa"
>
> <david AT datastaff DOT com> To:
> markjessup AT northwesternmutual DOT com
> Sent by: cc:
> veritas-bu AT mailman.eng.auburn DOT edu
> veritas-bu-admin AT mailman DOT eng. Subject:
> Re:
> [Veritas-bu] Managing Netbackup as non-root
> auburn.edu
>
>
>
>
>
> 10/09/2002 02:59 PM
>
>
>
>
>
>
>
>
>
> Mark:
>
> > 1) Can Netbackup be installed as non-root?
> No, must be root in order to install the product. However, you can allow
> non-
> root users to "update" existing clients using the scripts.
>
> > 2) Can Netbackup processes be stopped and started by non-root userids?
> Yes (see #4), or you can use sudo as well.
>
> > 3) How are other primary contacts for Netbackup supporting the product,
> > Root vs Non-root userids?
> Many of my clients have gone with sudo, its easily scripted and from an
> audit
> perspective everything is logged.
>
> > 4) Can all Netbackup commands be run with a non-root userid? Is this
> > documented?
> Yes and Yes, page 253 of the NB34 Admin Guide for Unix using Java or here's
> an
>
> excerpt for the NBU 3.2 Admin Guide:
>
> ---BEGIN EXCERPT---
> By default, you must be a root user to perform NetBackup administration
> through xbpadm or bpadm. The following procedure describes a method for
> authorizing nonroot users to use these utilities.
>
> 1. Create a distinct UNIX group (for example, nbadmin).
>
> 2. Execute the following commands as the root user on the NetBackup master
> server:
> cd /usr/openv/netbackup/bin
> chgrp nbadmin bpadm xbpadm xbpmon initbprd bprd bpdbm xnb
> chmod 4550 bpadm xbpadm xbpmon bprd initbprd bpdbm
> cd admincmd
> chgrp nbadmin *
> ---END EXCERPT---
>
>
> David
>
> Quoting markjessup AT northwesternmutual DOT com:
>
> > We are in the process of implementing Netbackup 4.5 into a new HP-UX
> > environment. Our Backup team is a separate group then our Unix Admin
> > team. There is a move to limit root access to our Unix servers. This
> > would apply to the Backup team also.
> >
> > My questions are:
> >
> > 1) Can Netbackup be installed as non-root?
> > 2) Can Netbackup processes be stopped and started by non-root userids?
> > 3) How are other primary contacts for Netbackup supporting the product,
> > Root vs Non-root userids?
> > 4) Can all Netbackup commands be run with a non-root userid? Is this
> > documented?
> >
> > Any info on this topic would be greatly appreciated. Thanks!
> >
> >
> >
> > Mark Jessup
> > IS Manager, Enterprise Storage and Output Management
> > Northwestern Mutual
> > (414) 665-3968
> > markjessup AT northwesternmutual DOT com
> >
> >
> >
>
>
>
> _______________________________________________
> Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>
>
>
>
|
|
|