Veritas-bu

[Veritas-bu] RE: Administering netbackup without being root

2002-10-29 11:50:26
Subject: [Veritas-bu] RE: Administering netbackup without being root
From: PWinkeler AT officemax DOT com (Winkeler, Paul)
Date: Tue, 29 Oct 2002 11:50:26 -0500
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C27F6B.48209BC0
Content-Type: text/plain

Louise
 
The other thing you could is to acquaint yourself with "sudo":
    http://www.courtesan.com/sudo/ <http://www.courtesan.com/sudo/> 
 
It is easy enough to insert "sudo" in front of the NetBackup commands and it
even gives you a nice audit trail!
 
 PaulW

--- 
Paul Winkeler, IT Consultant 
216-471-3795 

-----Original Message-----
From: Donaldson, Mark [mailto:Mark.Donaldson AT experianems DOT com] 
Sent: Tuesday, October 29, 2002 11:15 AM
To: 'louise.bazzard AT dutchtone DOT nl'; veritas-bu AT mailman.eng.auburn DOT 
edu
Subject: RE: [Veritas-bu] RE: Administering netbackup without being root



I've added semi-root functions by created a Unix group called "nbuser", then
getting creative with group permissions and SUID functions.  Be very careful
with this.

Also, if the OS is solaris, it's one of the few OS's that support SUID
scripts, allowing tools to be built wrapped around NB commands that allow
functionality but permit programatic limiting.

Note, applying patches/upgrades to NB will often reset the permisssions on
NB commands.  Scripting the chown/chmod commands that make this setup for
easy reapplication is a real time saver.

-M 

-----Original Message----- 
From: louise.bazzard AT dutchtone DOT nl [mailto:louise.bazzard AT dutchtone 
DOT nl
<mailto:louise.bazzard AT dutchtone DOT nl> ] 
Sent: Tuesday, October 29, 2002 12:52 AM 
To: veritas-bu AT mailman.eng.auburn DOT edu 
Subject: [Veritas-bu] RE: Administering netbackup without being root 


Hi Gary, 

I had an in house conversation about this one, (as we use accounts other 
than root to have limited access to our backup system) with a reliable 
source.  He advised should you wish to administer Netbackup with a user 
other than root; you would need to change the owner of your library, drives,

etc.  Then when you applied a patch, these would then be reverted to root 
ownership (well, most of the time!). 

IMHO, if your backup administrator is trusted to be responsible for 
safeguarding your companies' data, then they should be trusted to have root 
privilege. 

Met vriendelijke groet / Kind regards, 
Louise 
  

-__--__-- 

Message: 8 
From: "Sperano, Gary" <Gary.Sperano AT T-Mobile DOT com> 
To: Ryan Anderson <Ryan.Anderson AT udlp DOT com>, 
veritas-bu AT mailman.eng.auburn DOT edu 
Subject: RE: [Veritas-bu] Administering Netbackup without root or root pas 
        sword 
Date: Mon, 28 Oct 2002 04:33:30 -0800 

I think you may have missed my point.  "FULLY" administer Netbackup is what 
I am looking for not just from the JAVA side.  This includes executing any 
command line option and having the ability to read, write, execute, create, 
etc. any and all necessary files. 

Any ideas now? 

Gary A. Sperano Jr. 
Technical Specialist II 
T-Mobile USA - Atlanta 
(770) 604-3165 Desk 
(404) 610-9566 Cell 
gary.sperano AT t-mobile DOT com 


-----Original Message----- 
From: Ryan Anderson [mailto:Ryan.Anderson AT udlp DOT com
<mailto:Ryan.Anderson AT udlp DOT com> ] 
Sent: Friday, October 25, 2002 4:11 PM 
To: veritas-bu AT mailman.eng.auburn DOT edu; Gary.Sperano AT T-Mobile DOT com 
Subject: Re: [Veritas-bu] Administering Netbackup without root or root 
password 


Yes. You just need to edit the /usr/openv/java/auth.conf (as root ;-) 
appropriately to give a non-root user the ability to do all NBU 
functions. For user 'billybo' to have all administrator functions would 
have an entry like this: 

billybob ADMIN=ALL JBP=ALL 

This is for using the Java GUI, jnbSA. 

RCA 

-- 
Ryan C. Anderson 
Unix Administrator 
United Defense L.P. 
desk   763.572.6684 
pager 952.235.9936 
mobile 612.419.9362 

>>> "Sperano, Gary" <Gary.Sperano AT T-Mobile DOT com> 10/25/02 01:14PM >>> 
Is there anybody out there that is FULLY administering Veritas 
Netbackup who 
is not a UNIX administrator nor has the ability to become root or has 
the 
root password.  If so...how are you able to accomplish this? 

Gary A. Sperano Jr. 
Technical Specialist II 
T-Mobile USA - Atlanta 
(770) 604-3165 Desk 
(404) 610-9566 Cell 
gary.sperano AT t-mobile DOT com 

_______________________________________________ 
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu 
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
<http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu>  

--__--__-- 


=========================================================== 
De verzonden informatie is uitsluitend bestemd voor de geadresseerde 
natuurlijke persoon of rechtspersoon en bevat mogelijk vertrouwelijke en/of 
geprivilegeerde gegevens. Met uitzondering van de geadresseerde persoon is 
het niet toegestaan de informatie openbaar te maken, te kopieren, te 
verspreiden of anderszins actie te ondernemen op basis van de informatie. 
Indien u de informatie abusievelijk heeft ontvangen, neem dan contact op met

de afzender en verwijder de informatie uit alle computers. Dutchtone staat 
niet in voor de juiste en complete verzending van de informatie, noch is zij

aansprakelijk voor de vertraagde ontvangst hiervan. 

The information transmitted is intended exclusively for the person or entity

to which it is addressed and may contain confidential and/or privileged 
material. Any disclosure, copying, distribution or other action  based upon 
the information by persons or entities other than the intended recipient is 
prohibited. If you receive this information in error, please contact the 
sender and delete the material from any and all computers. Dutchtone does 
not warrant a proper and complete transmission of this information, nor does

it accept liability for any delays. 
=========================================================== 


_______________________________________________ 
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu 
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
<http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu>  


------_=_NextPart_001_01C27F6B.48209BC0
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<TITLE>Message</TITLE>

<META content="MSHTML 6.00.2713.1100" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=731014616-29102002><FONT face=Arial color=#0000ff 
size=2>Louise</FONT></SPAN></DIV>
<DIV>&nbsp;</DIV>
<DIV><SPAN class=731014616-29102002><FONT face=Arial color=#0000ff size=2>The 
other thing you could is to acquaint yourself with "sudo":</FONT></SPAN></DIV>
<DIV><SPAN class=731014616-29102002>&nbsp;&nbsp;&nbsp; <FONT face=Arial 
color=#0000ff size=2><A 
href="http://www.courtesan.com/sudo/";>http://www.courtesan.com/sudo/</A></FONT></SPAN></DIV>
<DIV><SPAN class=731014616-29102002></SPAN>&nbsp;</DIV>
<DIV><SPAN class=731014616-29102002><FONT face=Arial color=#0000ff size=2>It is 
easy enough to insert "sudo" in front of the NetBackup commands and it even 
gives you a nice audit trail!</FONT></SPAN></DIV>
<DIV><SPAN class=731014616-29102002><FONT face=Arial color=#0000ff 
size=2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=731014616-29102002><FONT face=Arial color=#0000ff 
size=2>&nbsp;PaulW</FONT></SPAN></DIV><!-- Converted from text/rtf format -->
<P><SPAN lang=en-us><FONT face=Arial size=2>---</FONT></SPAN> <BR><SPAN 
lang=en-us><FONT face=Arial size=2>Paul Winkeler, IT Consultant</FONT></SPAN> 
<BR><SPAN lang=en-us><FONT face=Arial size=2>216-471-3795</FONT></SPAN> </P>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
  <DIV></DIV>
  <DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT 
  face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Donaldson, Mark 
  [mailto:Mark.Donaldson AT experianems DOT com] <BR><B>Sent:</B> Tuesday, 
October 29, 
  2002 11:15 AM<BR><B>To:</B> 'louise.bazzard AT dutchtone DOT nl'; 
  veritas-bu AT mailman.eng.auburn DOT edu<BR><B>Subject:</B> RE: [Veritas-bu] 
RE: 
  Administering netbackup without being root<BR><BR></FONT></DIV>
  <P><FONT size=2>I've added semi-root functions by created a Unix group called 
  "nbuser", then getting creative with group permissions and SUID 
  functions.&nbsp; Be very careful with this.</FONT></P>
  <P><FONT size=2>Also, if the OS is solaris, it's one of the few OS's that 
  support SUID scripts, allowing tools to be built wrapped around NB commands 
  that allow functionality but permit programatic limiting.</FONT></P>
  <P><FONT size=2>Note, applying patches/upgrades to NB will often reset the 
  permisssions on NB commands.&nbsp; Scripting the chown/chmod commands that 
  make this setup for easy reapplication is a real time saver.</FONT></P>
  <P><FONT size=2>-M</FONT> </P>
  <P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From: 
  louise.bazzard AT dutchtone DOT nl [<A 
  href="mailto:louise.bazzard AT dutchtone DOT nl">mailto:louise.bazzard AT 
dutchtone DOT nl</A>]</FONT> 
  <BR><FONT size=2>Sent: Tuesday, October 29, 2002 12:52 AM</FONT> <BR><FONT 
  size=2>To: veritas-bu AT mailman.eng.auburn DOT edu</FONT> <BR><FONT 
size=2>Subject: 
  [Veritas-bu] RE: Administering netbackup without being root</FONT> </P><BR>
  <P><FONT size=2>Hi Gary,</FONT> </P>
  <P><FONT size=2>I had an in house conversation about this one, (as we use 
  accounts other</FONT> <BR><FONT size=2>than root to have limited access to 
our 
  backup system) with a reliable</FONT> <BR><FONT size=2>source.&nbsp; He 
  advised should you wish to administer Netbackup with a user</FONT> <BR><FONT 
  size=2>other than root; you would need to change the owner of your library, 
  drives,</FONT> <BR><FONT size=2>etc.&nbsp; Then when you applied a patch, 
  these would then be reverted to root</FONT> <BR><FONT size=2>ownership (well, 
  most of the time!).</FONT> </P>
  <P><FONT size=2>IMHO, if your backup administrator is trusted to be 
  responsible for</FONT> <BR><FONT size=2>safeguarding your companies' data, 
  then they should be trusted to have root</FONT> <BR><FONT size=2>privilege. 
  </FONT></P>
  <P><FONT size=2>Met vriendelijke groet / Kind regards,</FONT> <BR><FONT 
  size=2>Louise</FONT> <BR><FONT size=2>&nbsp;</FONT> </P>
  <P><FONT size=2>-__--__--</FONT> </P>
  <P><FONT size=2>Message: 8</FONT> <BR><FONT size=2>From: "Sperano, Gary" 
  &lt;Gary.Sperano AT T-Mobile DOT com&gt;</FONT> <BR><FONT size=2>To: Ryan 
Anderson 
  &lt;Ryan.Anderson AT udlp DOT com&gt;,</FONT> <BR><FONT 
  size=2>veritas-bu AT mailman.eng.auburn DOT edu</FONT> <BR><FONT 
size=2>Subject: RE: 
  [Veritas-bu] Administering Netbackup without root or root pas</FONT> 
  <BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT size=2>sword</FONT> 
  <BR><FONT size=2>Date: Mon, 28 Oct 2002 04:33:30 -0800</FONT> </P>
  <P><FONT size=2>I think you may have missed my point.&nbsp; "FULLY" 
administer 
  Netbackup is what</FONT> <BR><FONT size=2>I am looking for not just from the 
  JAVA side.&nbsp; This includes executing any</FONT> <BR><FONT size=2>command 
  line option and having the ability to read, write, execute, create,</FONT> 
  <BR><FONT size=2>etc. any and all necessary files.</FONT> </P>
  <P><FONT size=2>Any ideas now?</FONT> </P>
  <P><FONT size=2>Gary A. Sperano Jr.</FONT> <BR><FONT size=2>Technical 
  Specialist II</FONT> <BR><FONT size=2>T-Mobile USA - Atlanta</FONT> <BR><FONT 
  size=2>(770) 604-3165 Desk</FONT> <BR><FONT size=2>(404) 610-9566 Cell</FONT> 
  <BR><FONT size=2>gary.sperano AT t-mobile DOT com</FONT> </P><BR>
  <P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From: Ryan 
  Anderson [<A 
  href="mailto:Ryan.Anderson AT udlp DOT com">mailto:Ryan.Anderson AT udlp DOT 
com</A>]</FONT> 
  <BR><FONT size=2>Sent: Friday, October 25, 2002 4:11 PM</FONT> <BR><FONT 
  size=2>To: veritas-bu AT mailman.eng.auburn DOT edu; Gary.Sperano AT T-Mobile 
DOT com</FONT> 
  <BR><FONT size=2>Subject: Re: [Veritas-bu] Administering Netbackup without 
  root or root</FONT> <BR><FONT size=2>password</FONT> </P><BR>
  <P><FONT size=2>Yes. You just need to edit the /usr/openv/java/auth.conf (as 
  root ;-)</FONT> <BR><FONT size=2>appropriately to give a non-root user the 
  ability to do all NBU</FONT> <BR><FONT size=2>functions. For user 'billybo' 
to 
  have all administrator functions would</FONT> <BR><FONT size=2>have an entry 
  like this:</FONT> </P>
  <P><FONT size=2>billybob ADMIN=ALL JBP=ALL</FONT> </P>
  <P><FONT size=2>This is for using the Java GUI, jnbSA.</FONT> </P>
  <P><FONT size=2>RCA</FONT> </P>
  <P><FONT size=2>--</FONT> <BR><FONT size=2>Ryan C. Anderson</FONT> <BR><FONT 
  size=2>Unix Administrator</FONT> <BR><FONT size=2>United Defense L.P.</FONT> 
  <BR><FONT size=2>desk&nbsp;&nbsp; 763.572.6684</FONT> <BR><FONT size=2>pager 
  952.235.9936</FONT> <BR><FONT size=2>mobile 612.419.9362</FONT> </P>
  <P><FONT size=2>&gt;&gt;&gt; "Sperano, Gary" &lt;Gary.Sperano AT T-Mobile DOT 
com&gt; 
  10/25/02 01:14PM &gt;&gt;&gt;</FONT> <BR><FONT size=2>Is there anybody out 
  there that is FULLY administering Veritas</FONT> <BR><FONT size=2>Netbackup 
  who</FONT> <BR><FONT size=2>is not a UNIX administrator nor has the ability 
to 
  become root or has</FONT> <BR><FONT size=2>the</FONT> <BR><FONT size=2>root 
  password.&nbsp; If so...how are you able to accomplish this?</FONT> </P>
  <P><FONT size=2>Gary A. Sperano Jr.</FONT> <BR><FONT size=2>Technical 
  Specialist II</FONT> <BR><FONT size=2>T-Mobile USA - Atlanta</FONT> <BR><FONT 
  size=2>(770) 604-3165 Desk</FONT> <BR><FONT size=2>(404) 610-9566 Cell</FONT> 
  <BR><FONT size=2>gary.sperano AT t-mobile DOT com </FONT></P>
  <P><FONT size=2>_______________________________________________</FONT> 
  <BR><FONT size=2>Veritas-bu maillist&nbsp; -&nbsp; 
  Veritas-bu AT mailman.eng.auburn DOT edu </FONT><BR><FONT size=2><A 
  href="http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu"; 
  
target=_blank>http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu</A></FONT>
 
  </P>
  <P><FONT size=2>--__--__--</FONT> </P><BR>
  <P><FONT 
  size=2>===========================================================</FONT> 
  <BR><FONT size=2>De verzonden informatie is uitsluitend bestemd voor de 
  geadresseerde</FONT> <BR><FONT size=2>natuurlijke persoon of rechtspersoon en 
  bevat mogelijk vertrouwelijke en/of</FONT> <BR><FONT size=2>geprivilegeerde 
  gegevens. Met uitzondering van de geadresseerde persoon is</FONT> <BR><FONT 
  size=2>het niet toegestaan de informatie openbaar te maken, te kopieren, 
  te</FONT> <BR><FONT size=2>verspreiden of anderszins actie te ondernemen op 
  basis van de informatie.</FONT> <BR><FONT size=2>Indien u de informatie 
  abusievelijk heeft ontvangen, neem dan contact op met</FONT> <BR><FONT 
  size=2>de afzender en verwijder de informatie uit alle computers. Dutchtone 
  staat</FONT> <BR><FONT size=2>niet in voor de juiste en complete verzending 
  van de informatie, noch is zij</FONT> <BR><FONT size=2>aansprakelijk voor de 
  vertraagde ontvangst hiervan.</FONT> </P>
  <P><FONT size=2>The information transmitted is intended exclusively for the 
  person or entity</FONT> <BR><FONT size=2>to which it is addressed and may 
  contain confidential and/or privileged</FONT> <BR><FONT size=2>material. Any 
  disclosure, copying, distribution or other action&nbsp; based upon</FONT> 
  <BR><FONT size=2>the information by persons or entities other than the 
  intended recipient is</FONT> <BR><FONT size=2>prohibited. If you receive this 
  information in error, please contact the</FONT> <BR><FONT size=2>sender and 
  delete the material from any and all computers. Dutchtone does</FONT> 
  <BR><FONT size=2>not warrant a proper and complete transmission of this 
  information, nor does</FONT> <BR><FONT size=2>it accept liability for any 
  delays.</FONT> <BR><FONT 
  size=2>===========================================================</FONT> 
  </P><BR>
  <P><FONT size=2>_______________________________________________</FONT> 
  <BR><FONT size=2>Veritas-bu maillist&nbsp; -&nbsp; 
  Veritas-bu AT mailman.eng.auburn DOT edu</FONT> <BR><FONT size=2><A 
  href="http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu"; 
  
target=_blank>http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu</A></FONT>
 
  </P></BLOCKQUOTE></BODY></HTML>

------_=_NextPart_001_01C27F6B.48209BC0--