Veritas-bu

[Veritas-bu] RE: Administering netbackup without being root

2002-10-29 11:14:31
Subject: [Veritas-bu] RE: Administering netbackup without being root
From: Mark.Donaldson AT experianems DOT com (Donaldson, Mark)
Date: Tue, 29 Oct 2002 09:14:31 -0700
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C27F66.43641760
Content-Type: text/plain

I've added semi-root functions by created a Unix group called "nbuser", then
getting creative with group permissions and SUID functions.  Be very careful
with this.

Also, if the OS is solaris, it's one of the few OS's that support SUID
scripts, allowing tools to be built wrapped around NB commands that allow
functionality but permit programatic limiting.

Note, applying patches/upgrades to NB will often reset the permisssions on
NB commands.  Scripting the chown/chmod commands that make this setup for
easy reapplication is a real time saver.

-M

-----Original Message-----
From: louise.bazzard AT dutchtone DOT nl [mailto:louise.bazzard AT dutchtone 
DOT nl]
Sent: Tuesday, October 29, 2002 12:52 AM
To: veritas-bu AT mailman.eng.auburn DOT edu
Subject: [Veritas-bu] RE: Administering netbackup without being root


Hi Gary,

I had an in house conversation about this one, (as we use accounts other
than root to have limited access to our backup system) with a reliable
source.  He advised should you wish to administer Netbackup with a user
other than root; you would need to change the owner of your library, drives,
etc.  Then when you applied a patch, these would then be reverted to root
ownership (well, most of the time!).

IMHO, if your backup administrator is trusted to be responsible for
safeguarding your companies' data, then they should be trusted to have root
privilege. 

Met vriendelijke groet / Kind regards,
Louise
 

-__--__--

Message: 8
From: "Sperano, Gary" <Gary.Sperano AT T-Mobile DOT com>
To: Ryan Anderson <Ryan.Anderson AT udlp DOT com>,
veritas-bu AT mailman.eng.auburn DOT edu
Subject: RE: [Veritas-bu] Administering Netbackup without root or root pas
        sword
Date: Mon, 28 Oct 2002 04:33:30 -0800

I think you may have missed my point.  "FULLY" administer Netbackup is what
I am looking for not just from the JAVA side.  This includes executing any
command line option and having the ability to read, write, execute, create,
etc. any and all necessary files.

Any ideas now?

Gary A. Sperano Jr.
Technical Specialist II
T-Mobile USA - Atlanta
(770) 604-3165 Desk
(404) 610-9566 Cell
gary.sperano AT t-mobile DOT com


-----Original Message-----
From: Ryan Anderson [mailto:Ryan.Anderson AT udlp DOT com]
Sent: Friday, October 25, 2002 4:11 PM
To: veritas-bu AT mailman.eng.auburn DOT edu; Gary.Sperano AT T-Mobile DOT com
Subject: Re: [Veritas-bu] Administering Netbackup without root or root
password


Yes. You just need to edit the /usr/openv/java/auth.conf (as root ;-)
appropriately to give a non-root user the ability to do all NBU
functions. For user 'billybo' to have all administrator functions would
have an entry like this:

billybob ADMIN=ALL JBP=ALL

This is for using the Java GUI, jnbSA.

RCA

--
Ryan C. Anderson
Unix Administrator
United Defense L.P.
desk   763.572.6684
pager 952.235.9936
mobile 612.419.9362

>>> "Sperano, Gary" <Gary.Sperano AT T-Mobile DOT com> 10/25/02 01:14PM >>>
Is there anybody out there that is FULLY administering Veritas
Netbackup who
is not a UNIX administrator nor has the ability to become root or has
the
root password.  If so...how are you able to accomplish this?

Gary A. Sperano Jr.
Technical Specialist II
T-Mobile USA - Atlanta
(770) 604-3165 Desk
(404) 610-9566 Cell
gary.sperano AT t-mobile DOT com 

_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu 
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

--__--__--


===========================================================
De verzonden informatie is uitsluitend bestemd voor de geadresseerde
natuurlijke persoon of rechtspersoon en bevat mogelijk vertrouwelijke en/of
geprivilegeerde gegevens. Met uitzondering van de geadresseerde persoon is
het niet toegestaan de informatie openbaar te maken, te kopieren, te
verspreiden of anderszins actie te ondernemen op basis van de informatie.
Indien u de informatie abusievelijk heeft ontvangen, neem dan contact op met
de afzender en verwijder de informatie uit alle computers. Dutchtone staat
niet in voor de juiste en complete verzending van de informatie, noch is zij
aansprakelijk voor de vertraagde ontvangst hiervan.

The information transmitted is intended exclusively for the person or entity
to which it is addressed and may contain confidential and/or privileged
material. Any disclosure, copying, distribution or other action  based upon
the information by persons or entities other than the intended recipient is
prohibited. If you receive this information in error, please contact the
sender and delete the material from any and all computers. Dutchtone does
not warrant a proper and complete transmission of this information, nor does
it accept liability for any delays.
===========================================================


_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

------_=_NextPart_001_01C27F66.43641760
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3DUS-ASCII">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: [Veritas-bu] RE: Administering netbackup without being =
root</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>I've added semi-root functions by created a Unix =
group called &quot;nbuser&quot;, then getting creative with group =
permissions and SUID functions.&nbsp; Be very careful with =
this.</FONT></P>

<P><FONT SIZE=3D2>Also, if the OS is solaris, it's one of the few OS's =
that support SUID scripts, allowing tools to be built wrapped around NB =
commands that allow functionality but permit programatic =
limiting.</FONT></P>

<P><FONT SIZE=3D2>Note, applying patches/upgrades to NB will often =
reset the permisssions on NB commands.&nbsp; Scripting the chown/chmod =
commands that make this setup for easy reapplication is a real time =
saver.</FONT></P>

<P><FONT SIZE=3D2>-M</FONT>
</P>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: louise.bazzard AT dutchtone DOT nl [<A =
HREF=3D"mailto:louise.bazzard AT dutchtone DOT nl">mailto:louise.bazzard@dutcht=
one.nl</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Tuesday, October 29, 2002 12:52 AM</FONT>
<BR><FONT SIZE=3D2>To: veritas-bu AT mailman.eng.auburn DOT edu</FONT>
<BR><FONT SIZE=3D2>Subject: [Veritas-bu] RE: Administering netbackup =
without being root</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>Hi Gary,</FONT>
</P>

<P><FONT SIZE=3D2>I had an in house conversation about this one, (as we =
use accounts other</FONT>
<BR><FONT SIZE=3D2>than root to have limited access to our backup =
system) with a reliable</FONT>
<BR><FONT SIZE=3D2>source.&nbsp; He advised should you wish to =
administer Netbackup with a user</FONT>
<BR><FONT SIZE=3D2>other than root; you would need to change the owner =
of your library, drives,</FONT>
<BR><FONT SIZE=3D2>etc.&nbsp; Then when you applied a patch, these =
would then be reverted to root</FONT>
<BR><FONT SIZE=3D2>ownership (well, most of the time!).</FONT>
</P>

<P><FONT SIZE=3D2>IMHO, if your backup administrator is trusted to be =
responsible for</FONT>
<BR><FONT SIZE=3D2>safeguarding your companies' data, then they should =
be trusted to have root</FONT>
<BR><FONT SIZE=3D2>privilege. </FONT>
</P>

<P><FONT SIZE=3D2>Met vriendelijke groet / Kind regards,</FONT>
<BR><FONT SIZE=3D2>Louise</FONT>
<BR><FONT SIZE=3D2>&nbsp;</FONT>
</P>

<P><FONT SIZE=3D2>-__--__--</FONT>
</P>

<P><FONT SIZE=3D2>Message: 8</FONT>
<BR><FONT SIZE=3D2>From: &quot;Sperano, Gary&quot; =
&lt;Gary.Sperano AT T-Mobile DOT com&gt;</FONT>
<BR><FONT SIZE=3D2>To: Ryan Anderson =
&lt;Ryan.Anderson AT udlp DOT com&gt;,</FONT>
<BR><FONT SIZE=3D2>veritas-bu AT mailman.eng.auburn DOT edu</FONT>
<BR><FONT SIZE=3D2>Subject: RE: [Veritas-bu] Administering Netbackup =
without root or root pas</FONT>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT =
SIZE=3D2>sword</FONT>
<BR><FONT SIZE=3D2>Date: Mon, 28 Oct 2002 04:33:30 -0800</FONT>
</P>

<P><FONT SIZE=3D2>I think you may have missed my point.&nbsp; =
&quot;FULLY&quot; administer Netbackup is what</FONT>
<BR><FONT SIZE=3D2>I am looking for not just from the JAVA side.&nbsp; =
This includes executing any</FONT>
<BR><FONT SIZE=3D2>command line option and having the ability to read, =
write, execute, create,</FONT>
<BR><FONT SIZE=3D2>etc. any and all necessary files.</FONT>
</P>

<P><FONT SIZE=3D2>Any ideas now?</FONT>
</P>

<P><FONT SIZE=3D2>Gary A. Sperano Jr.</FONT>
<BR><FONT SIZE=3D2>Technical Specialist II</FONT>
<BR><FONT SIZE=3D2>T-Mobile USA - Atlanta</FONT>
<BR><FONT SIZE=3D2>(770) 604-3165 Desk</FONT>
<BR><FONT SIZE=3D2>(404) 610-9566 Cell</FONT>
<BR><FONT SIZE=3D2>gary.sperano AT t-mobile DOT com</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Ryan Anderson [<A =
HREF=3D"mailto:Ryan.Anderson AT udlp DOT com">mailto:Ryan.Anderson AT udlp DOT 
com</A>=
]</FONT>
<BR><FONT SIZE=3D2>Sent: Friday, October 25, 2002 4:11 PM</FONT>
<BR><FONT SIZE=3D2>To: veritas-bu AT mailman.eng.auburn DOT edu; =
Gary.Sperano AT T-Mobile DOT com</FONT>
<BR><FONT SIZE=3D2>Subject: Re: [Veritas-bu] Administering Netbackup =
without root or root</FONT>
<BR><FONT SIZE=3D2>password</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>Yes. You just need to edit the =
/usr/openv/java/auth.conf (as root ;-)</FONT>
<BR><FONT SIZE=3D2>appropriately to give a non-root user the ability to =
do all NBU</FONT>
<BR><FONT SIZE=3D2>functions. For user 'billybo' to have all =
administrator functions would</FONT>
<BR><FONT SIZE=3D2>have an entry like this:</FONT>
</P>

<P><FONT SIZE=3D2>billybob ADMIN=3DALL JBP=3DALL</FONT>
</P>

<P><FONT SIZE=3D2>This is for using the Java GUI, jnbSA.</FONT>
</P>

<P><FONT SIZE=3D2>RCA</FONT>
</P>

<P><FONT SIZE=3D2>--</FONT>
<BR><FONT SIZE=3D2>Ryan C. Anderson</FONT>
<BR><FONT SIZE=3D2>Unix Administrator</FONT>
<BR><FONT SIZE=3D2>United Defense L.P.</FONT>
<BR><FONT SIZE=3D2>desk&nbsp;&nbsp; 763.572.6684</FONT>
<BR><FONT SIZE=3D2>pager 952.235.9936</FONT>
<BR><FONT SIZE=3D2>mobile 612.419.9362</FONT>
</P>

<P><FONT SIZE=3D2>&gt;&gt;&gt; &quot;Sperano, Gary&quot; =
&lt;Gary.Sperano AT T-Mobile DOT com&gt; 10/25/02 01:14PM &gt;&gt;&gt;</FONT>
<BR><FONT SIZE=3D2>Is there anybody out there that is FULLY =
administering Veritas</FONT>
<BR><FONT SIZE=3D2>Netbackup who</FONT>
<BR><FONT SIZE=3D2>is not a UNIX administrator nor has the ability to =
become root or has</FONT>
<BR><FONT SIZE=3D2>the</FONT>
<BR><FONT SIZE=3D2>root password.&nbsp; If so...how are you able to =
accomplish this?</FONT>
</P>

<P><FONT SIZE=3D2>Gary A. Sperano Jr.</FONT>
<BR><FONT SIZE=3D2>Technical Specialist II</FONT>
<BR><FONT SIZE=3D2>T-Mobile USA - Atlanta</FONT>
<BR><FONT SIZE=3D2>(770) 604-3165 Desk</FONT>
<BR><FONT SIZE=3D2>(404) 610-9566 Cell</FONT>
<BR><FONT SIZE=3D2>gary.sperano AT t-mobile DOT com </FONT>
</P>

<P><FONT =
SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>Veritas-bu maillist&nbsp; -&nbsp; =
Veritas-bu AT mailman.eng.auburn DOT edu </FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu"; =
TARGET=3D"_blank">http://mailman.eng.auburn.edu/mailman/listinfo/veritas=
-bu</A></FONT>
</P>

<P><FONT SIZE=3D2>--__--__--</FONT>
</P>
<BR>

<P><FONT =
SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</FONT>
<BR><FONT SIZE=3D2>De verzonden informatie is uitsluitend bestemd voor =
de geadresseerde</FONT>
<BR><FONT SIZE=3D2>natuurlijke persoon of rechtspersoon en bevat =
mogelijk vertrouwelijke en/of</FONT>
<BR><FONT SIZE=3D2>geprivilegeerde gegevens. Met uitzondering van de =
geadresseerde persoon is</FONT>
<BR><FONT SIZE=3D2>het niet toegestaan de informatie openbaar te maken, =
te kopieren, te</FONT>
<BR><FONT SIZE=3D2>verspreiden of anderszins actie te ondernemen op =
basis van de informatie.</FONT>
<BR><FONT SIZE=3D2>Indien u de informatie abusievelijk heeft ontvangen, =
neem dan contact op met</FONT>
<BR><FONT SIZE=3D2>de afzender en verwijder de informatie uit alle =
computers. Dutchtone staat</FONT>
<BR><FONT SIZE=3D2>niet in voor de juiste en complete verzending van de =
informatie, noch is zij</FONT>
<BR><FONT SIZE=3D2>aansprakelijk voor de vertraagde ontvangst =
hiervan.</FONT>
</P>

<P><FONT SIZE=3D2>The information transmitted is intended exclusively =
for the person or entity</FONT>
<BR><FONT SIZE=3D2>to which it is addressed and may contain =
confidential and/or privileged</FONT>
<BR><FONT SIZE=3D2>material. Any disclosure, copying, distribution or =
other action&nbsp; based upon</FONT>
<BR><FONT SIZE=3D2>the information by persons or entities other than =
the intended recipient is</FONT>
<BR><FONT SIZE=3D2>prohibited. If you receive this information in =
error, please contact the</FONT>
<BR><FONT SIZE=3D2>sender and delete the material from any and all =
computers. Dutchtone does</FONT>
<BR><FONT SIZE=3D2>not warrant a proper and complete transmission of =
this information, nor does</FONT>
<BR><FONT SIZE=3D2>it accept liability for any delays.</FONT>
<BR><FONT =
SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</FONT>
</P>
<BR>

<P><FONT =
SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>Veritas-bu maillist&nbsp; -&nbsp; =
Veritas-bu AT mailman.eng.auburn DOT edu</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu"; =
TARGET=3D"_blank">http://mailman.eng.auburn.edu/mailman/listinfo/veritas=
-bu</A></FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C27F66.43641760--