This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C27F6B.48209BC0
Content-Type: text/plain
Louise
The other thing you could is to acquaint yourself with "sudo":
http://www.courtesan.com/sudo/ <http://www.courtesan.com/sudo/>
It is easy enough to insert "sudo" in front of the NetBackup commands and it
even gives you a nice audit trail!
PaulW
---
Paul Winkeler, IT Consultant
216-471-3795
-----Original Message-----
From: Donaldson, Mark [mailto:Mark.Donaldson AT experianems DOT com]
Sent: Tuesday, October 29, 2002 11:15 AM
To: 'louise.bazzard AT dutchtone DOT nl'; veritas-bu AT mailman.eng.auburn DOT
edu
Subject: RE: [Veritas-bu] RE: Administering netbackup without being root
I've added semi-root functions by created a Unix group called "nbuser", then
getting creative with group permissions and SUID functions. Be very careful
with this.
Also, if the OS is solaris, it's one of the few OS's that support SUID
scripts, allowing tools to be built wrapped around NB commands that allow
functionality but permit programatic limiting.
Note, applying patches/upgrades to NB will often reset the permisssions on
NB commands. Scripting the chown/chmod commands that make this setup for
easy reapplication is a real time saver.
-M
-----Original Message-----
From: louise.bazzard AT dutchtone DOT nl [mailto:louise.bazzard AT dutchtone
DOT nl
<mailto:louise.bazzard AT dutchtone DOT nl> ]
Sent: Tuesday, October 29, 2002 12:52 AM
To: veritas-bu AT mailman.eng.auburn DOT edu
Subject: [Veritas-bu] RE: Administering netbackup without being root
Hi Gary,
I had an in house conversation about this one, (as we use accounts other
than root to have limited access to our backup system) with a reliable
source. He advised should you wish to administer Netbackup with a user
other than root; you would need to change the owner of your library, drives,
etc. Then when you applied a patch, these would then be reverted to root
ownership (well, most of the time!).
IMHO, if your backup administrator is trusted to be responsible for
safeguarding your companies' data, then they should be trusted to have root
privilege.
Met vriendelijke groet / Kind regards,
Louise
-__--__--
Message: 8
From: "Sperano, Gary" <Gary.Sperano AT T-Mobile DOT com>
To: Ryan Anderson <Ryan.Anderson AT udlp DOT com>,
veritas-bu AT mailman.eng.auburn DOT edu
Subject: RE: [Veritas-bu] Administering Netbackup without root or root pas
sword
Date: Mon, 28 Oct 2002 04:33:30 -0800
I think you may have missed my point. "FULLY" administer Netbackup is what
I am looking for not just from the JAVA side. This includes executing any
command line option and having the ability to read, write, execute, create,
etc. any and all necessary files.
Any ideas now?
Gary A. Sperano Jr.
Technical Specialist II
T-Mobile USA - Atlanta
(770) 604-3165 Desk
(404) 610-9566 Cell
gary.sperano AT t-mobile DOT com
-----Original Message-----
From: Ryan Anderson [mailto:Ryan.Anderson AT udlp DOT com
<mailto:Ryan.Anderson AT udlp DOT com> ]
Sent: Friday, October 25, 2002 4:11 PM
To: veritas-bu AT mailman.eng.auburn DOT edu; Gary.Sperano AT T-Mobile DOT com
Subject: Re: [Veritas-bu] Administering Netbackup without root or root
password
Yes. You just need to edit the /usr/openv/java/auth.conf (as root ;-)
appropriately to give a non-root user the ability to do all NBU
functions. For user 'billybo' to have all administrator functions would
have an entry like this:
billybob ADMIN=ALL JBP=ALL
This is for using the Java GUI, jnbSA.
RCA
--
Ryan C. Anderson
Unix Administrator
United Defense L.P.
desk 763.572.6684
pager 952.235.9936
mobile 612.419.9362
>>> "Sperano, Gary" <Gary.Sperano AT T-Mobile DOT com> 10/25/02 01:14PM >>>
Is there anybody out there that is FULLY administering Veritas
Netbackup who
is not a UNIX administrator nor has the ability to become root or has
the
root password. If so...how are you able to accomplish this?
Gary A. Sperano Jr.
Technical Specialist II
T-Mobile USA - Atlanta
(770) 604-3165 Desk
(404) 610-9566 Cell
gary.sperano AT t-mobile DOT com
_______________________________________________
Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
<http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu>
--__--__--
===========================================================
De verzonden informatie is uitsluitend bestemd voor de geadresseerde
natuurlijke persoon of rechtspersoon en bevat mogelijk vertrouwelijke en/of
geprivilegeerde gegevens. Met uitzondering van de geadresseerde persoon is
het niet toegestaan de informatie openbaar te maken, te kopieren, te
verspreiden of anderszins actie te ondernemen op basis van de informatie.
Indien u de informatie abusievelijk heeft ontvangen, neem dan contact op met
de afzender en verwijder de informatie uit alle computers. Dutchtone staat
niet in voor de juiste en complete verzending van de informatie, noch is zij
aansprakelijk voor de vertraagde ontvangst hiervan.
The information transmitted is intended exclusively for the person or entity
to which it is addressed and may contain confidential and/or privileged
material. Any disclosure, copying, distribution or other action based upon
the information by persons or entities other than the intended recipient is
prohibited. If you receive this information in error, please contact the
sender and delete the material from any and all computers. Dutchtone does
not warrant a proper and complete transmission of this information, nor does
it accept liability for any delays.
===========================================================
_______________________________________________
Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
<http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu>
------_=_NextPart_001_01C27F6B.48209BC0
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<TITLE>Message</TITLE>
<META content="MSHTML 6.00.2713.1100" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=731014616-29102002><FONT face=Arial color=#0000ff
size=2>Louise</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=731014616-29102002><FONT face=Arial color=#0000ff size=2>The
other thing you could is to acquaint yourself with "sudo":</FONT></SPAN></DIV>
<DIV><SPAN class=731014616-29102002> <FONT face=Arial
color=#0000ff size=2><A
href="http://www.courtesan.com/sudo/">http://www.courtesan.com/sudo/</A></FONT></SPAN></DIV>
<DIV><SPAN class=731014616-29102002></SPAN> </DIV>
<DIV><SPAN class=731014616-29102002><FONT face=Arial color=#0000ff size=2>It is
easy enough to insert "sudo" in front of the NetBackup commands and it even
gives you a nice audit trail!</FONT></SPAN></DIV>
<DIV><SPAN class=731014616-29102002><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=731014616-29102002><FONT face=Arial color=#0000ff
size=2> PaulW</FONT></SPAN></DIV><!-- Converted from text/rtf format -->
<P><SPAN lang=en-us><FONT face=Arial size=2>---</FONT></SPAN> <BR><SPAN
lang=en-us><FONT face=Arial size=2>Paul Winkeler, IT Consultant</FONT></SPAN>
<BR><SPAN lang=en-us><FONT face=Arial size=2>216-471-3795</FONT></SPAN> </P>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Donaldson, Mark
[mailto:Mark.Donaldson AT experianems DOT com] <BR><B>Sent:</B> Tuesday,
October 29,
2002 11:15 AM<BR><B>To:</B> 'louise.bazzard AT dutchtone DOT nl';
veritas-bu AT mailman.eng.auburn DOT edu<BR><B>Subject:</B> RE: [Veritas-bu]
RE:
Administering netbackup without being root<BR><BR></FONT></DIV>
<P><FONT size=2>I've added semi-root functions by created a Unix group called
"nbuser", then getting creative with group permissions and SUID
functions. Be very careful with this.</FONT></P>
<P><FONT size=2>Also, if the OS is solaris, it's one of the few OS's that
support SUID scripts, allowing tools to be built wrapped around NB commands
that allow functionality but permit programatic limiting.</FONT></P>
<P><FONT size=2>Note, applying patches/upgrades to NB will often reset the
permisssions on NB commands. Scripting the chown/chmod commands that
make this setup for easy reapplication is a real time saver.</FONT></P>
<P><FONT size=2>-M</FONT> </P>
<P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From:
louise.bazzard AT dutchtone DOT nl [<A
href="mailto:louise.bazzard AT dutchtone DOT nl">mailto:louise.bazzard AT
dutchtone DOT nl</A>]</FONT>
<BR><FONT size=2>Sent: Tuesday, October 29, 2002 12:52 AM</FONT> <BR><FONT
size=2>To: veritas-bu AT mailman.eng.auburn DOT edu</FONT> <BR><FONT
size=2>Subject:
[Veritas-bu] RE: Administering netbackup without being root</FONT> </P><BR>
<P><FONT size=2>Hi Gary,</FONT> </P>
<P><FONT size=2>I had an in house conversation about this one, (as we use
accounts other</FONT> <BR><FONT size=2>than root to have limited access to
our
backup system) with a reliable</FONT> <BR><FONT size=2>source. He
advised should you wish to administer Netbackup with a user</FONT> <BR><FONT
size=2>other than root; you would need to change the owner of your library,
drives,</FONT> <BR><FONT size=2>etc. Then when you applied a patch,
these would then be reverted to root</FONT> <BR><FONT size=2>ownership (well,
most of the time!).</FONT> </P>
<P><FONT size=2>IMHO, if your backup administrator is trusted to be
responsible for</FONT> <BR><FONT size=2>safeguarding your companies' data,
then they should be trusted to have root</FONT> <BR><FONT size=2>privilege.
</FONT></P>
<P><FONT size=2>Met vriendelijke groet / Kind regards,</FONT> <BR><FONT
size=2>Louise</FONT> <BR><FONT size=2> </FONT> </P>
<P><FONT size=2>-__--__--</FONT> </P>
<P><FONT size=2>Message: 8</FONT> <BR><FONT size=2>From: "Sperano, Gary"
<Gary.Sperano AT T-Mobile DOT com></FONT> <BR><FONT size=2>To: Ryan
Anderson
<Ryan.Anderson AT udlp DOT com>,</FONT> <BR><FONT
size=2>veritas-bu AT mailman.eng.auburn DOT edu</FONT> <BR><FONT
size=2>Subject: RE:
[Veritas-bu] Administering Netbackup without root or root pas</FONT>
<BR> <FONT size=2>sword</FONT>
<BR><FONT size=2>Date: Mon, 28 Oct 2002 04:33:30 -0800</FONT> </P>
<P><FONT size=2>I think you may have missed my point. "FULLY"
administer
Netbackup is what</FONT> <BR><FONT size=2>I am looking for not just from the
JAVA side. This includes executing any</FONT> <BR><FONT size=2>command
line option and having the ability to read, write, execute, create,</FONT>
<BR><FONT size=2>etc. any and all necessary files.</FONT> </P>
<P><FONT size=2>Any ideas now?</FONT> </P>
<P><FONT size=2>Gary A. Sperano Jr.</FONT> <BR><FONT size=2>Technical
Specialist II</FONT> <BR><FONT size=2>T-Mobile USA - Atlanta</FONT> <BR><FONT
size=2>(770) 604-3165 Desk</FONT> <BR><FONT size=2>(404) 610-9566 Cell</FONT>
<BR><FONT size=2>gary.sperano AT t-mobile DOT com</FONT> </P><BR>
<P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From: Ryan
Anderson [<A
href="mailto:Ryan.Anderson AT udlp DOT com">mailto:Ryan.Anderson AT udlp DOT
com</A>]</FONT>
<BR><FONT size=2>Sent: Friday, October 25, 2002 4:11 PM</FONT> <BR><FONT
size=2>To: veritas-bu AT mailman.eng.auburn DOT edu; Gary.Sperano AT T-Mobile
DOT com</FONT>
<BR><FONT size=2>Subject: Re: [Veritas-bu] Administering Netbackup without
root or root</FONT> <BR><FONT size=2>password</FONT> </P><BR>
<P><FONT size=2>Yes. You just need to edit the /usr/openv/java/auth.conf (as
root ;-)</FONT> <BR><FONT size=2>appropriately to give a non-root user the
ability to do all NBU</FONT> <BR><FONT size=2>functions. For user 'billybo'
to
have all administrator functions would</FONT> <BR><FONT size=2>have an entry
like this:</FONT> </P>
<P><FONT size=2>billybob ADMIN=ALL JBP=ALL</FONT> </P>
<P><FONT size=2>This is for using the Java GUI, jnbSA.</FONT> </P>
<P><FONT size=2>RCA</FONT> </P>
<P><FONT size=2>--</FONT> <BR><FONT size=2>Ryan C. Anderson</FONT> <BR><FONT
size=2>Unix Administrator</FONT> <BR><FONT size=2>United Defense L.P.</FONT>
<BR><FONT size=2>desk 763.572.6684</FONT> <BR><FONT size=2>pager
952.235.9936</FONT> <BR><FONT size=2>mobile 612.419.9362</FONT> </P>
<P><FONT size=2>>>> "Sperano, Gary" <Gary.Sperano AT T-Mobile DOT
com>
10/25/02 01:14PM >>></FONT> <BR><FONT size=2>Is there anybody out
there that is FULLY administering Veritas</FONT> <BR><FONT size=2>Netbackup
who</FONT> <BR><FONT size=2>is not a UNIX administrator nor has the ability
to
become root or has</FONT> <BR><FONT size=2>the</FONT> <BR><FONT size=2>root
password. If so...how are you able to accomplish this?</FONT> </P>
<P><FONT size=2>Gary A. Sperano Jr.</FONT> <BR><FONT size=2>Technical
Specialist II</FONT> <BR><FONT size=2>T-Mobile USA - Atlanta</FONT> <BR><FONT
size=2>(770) 604-3165 Desk</FONT> <BR><FONT size=2>(404) 610-9566 Cell</FONT>
<BR><FONT size=2>gary.sperano AT t-mobile DOT com </FONT></P>
<P><FONT size=2>_______________________________________________</FONT>
<BR><FONT size=2>Veritas-bu maillist -
Veritas-bu AT mailman.eng.auburn DOT edu </FONT><BR><FONT size=2><A
href="http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu"
target=_blank>http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu</A></FONT>
</P>
<P><FONT size=2>--__--__--</FONT> </P><BR>
<P><FONT
size=2>===========================================================</FONT>
<BR><FONT size=2>De verzonden informatie is uitsluitend bestemd voor de
geadresseerde</FONT> <BR><FONT size=2>natuurlijke persoon of rechtspersoon en
bevat mogelijk vertrouwelijke en/of</FONT> <BR><FONT size=2>geprivilegeerde
gegevens. Met uitzondering van de geadresseerde persoon is</FONT> <BR><FONT
size=2>het niet toegestaan de informatie openbaar te maken, te kopieren,
te</FONT> <BR><FONT size=2>verspreiden of anderszins actie te ondernemen op
basis van de informatie.</FONT> <BR><FONT size=2>Indien u de informatie
abusievelijk heeft ontvangen, neem dan contact op met</FONT> <BR><FONT
size=2>de afzender en verwijder de informatie uit alle computers. Dutchtone
staat</FONT> <BR><FONT size=2>niet in voor de juiste en complete verzending
van de informatie, noch is zij</FONT> <BR><FONT size=2>aansprakelijk voor de
vertraagde ontvangst hiervan.</FONT> </P>
<P><FONT size=2>The information transmitted is intended exclusively for the
person or entity</FONT> <BR><FONT size=2>to which it is addressed and may
contain confidential and/or privileged</FONT> <BR><FONT size=2>material. Any
disclosure, copying, distribution or other action based upon</FONT>
<BR><FONT size=2>the information by persons or entities other than the
intended recipient is</FONT> <BR><FONT size=2>prohibited. If you receive this
information in error, please contact the</FONT> <BR><FONT size=2>sender and
delete the material from any and all computers. Dutchtone does</FONT>
<BR><FONT size=2>not warrant a proper and complete transmission of this
information, nor does</FONT> <BR><FONT size=2>it accept liability for any
delays.</FONT> <BR><FONT
size=2>===========================================================</FONT>
</P><BR>
<P><FONT size=2>_______________________________________________</FONT>
<BR><FONT size=2>Veritas-bu maillist -
Veritas-bu AT mailman.eng.auburn DOT edu</FONT> <BR><FONT size=2><A
href="http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu"
target=_blank>http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu</A></FONT>
</P></BLOCKQUOTE></BODY></HTML>
------_=_NextPart_001_01C27F6B.48209BC0--
|