All,

Thanks for everyone's response, I eventually have setuid on the binaries
and changed the group on the binaries to that of the service account
being used by apache which all seems to work fine. 

Suppose the downfall and my vulnerability would lie in the exploitation
of netbackup.

Regards

Dave




-----Original Message-----
From: Jeff Lightner [mailto:jlightner at water.com] 
Sent: 11 May 2007 15:21
To: Jones, Courtenay; Clooney, David; Justin Piszcz
Cc: veritas-bu at mailman.eng.auburn.edu
Subject: RE: [Veritas-bu] Start NBU non-root

I think his issue is that a PHB that doesn't understand UNIX/Linux and
only (thinks he) knows that "root is bad" is trying to eliminate root.
The issue isn't how it is starting but what user it is running as.
Since sudo would run it as root he'd still have the same education of
PHB to do.

The reason it needs to be root is only root can read ALL files.   Even
if it is a master it is assumed it would be backing itself up so
Veritas/Symantec had no reason to write in the ability to run it as
anything other than root even on a "master only" server.

-----Original Message-----
From: veritas-bu-bounces at mailman.eng.auburn.edu
[mailto:veritas-bu-bounces at mailman.eng.auburn.edu] On Behalf Of Jones,
Courtenay
Sent: Friday, May 11, 2007 9:44 AM
To: Clooney, David; Justin Piszcz
Cc: veritas-bu at mailman.eng.auburn.edu
Subject: Re: [Veritas-bu] Start NBU non-root

Could you use sudo functionality? 


Regards,

 
-cj
Courtenay Jones
UNIX Systems Engineer, Raleigh Technology Centre



-----Original Message-----
From: veritas-bu-bounces at mailman.eng.auburn.edu
[mailto:veritas-bu-bounces at mailman.eng.auburn.edu] On Behalf Of Clooney,
David
Sent: Friday, May 11, 2007 5:42 AM
To: Justin Piszcz
Cc: veritas-bu at mailman.eng.auburn.edu
Subject: Re: [Veritas-bu] Start NBU non-root

Thanks Justin,

Well I guess that's that then :-)

Dave

-----Original Message-----
From: Justin Piszcz [mailto:jpiszcz at lucidpixels.com] 
Sent: 11 May 2007 10:40
To: Clooney, David
Cc: veritas-bu at mailman.eng.auburn.edu
Subject: Re: [Veritas-bu] Start NBU non-root

NBU requires root.  End of story really.

Justin.

On Fri, 11 May 2007, Clooney, David wrote:

> Hi all,
>
>
>
> Scenario:  Linux RD 3 5.1 MP6
>
>
>
> Does anyone know if its possible to start netbackup as non root? Know
it
> sounds strange however this server is used merely for info retrieval
> from other masters through CGI, currently policy specifies that apache
> cannot be started as root understandably for security reasons.
>
>
>
> If I could start NBU as the same user as what apache does, it would
make
> my life a lot easier ?
>
>
>
> Regards
>
>
>
> Dave
>
> This email (including any attachments) may contain confidential and/or
> privileged information or information otherwise protected from
> disclosure. If you are not the intended recipient, please notify the
> sender immediately, do not copy this message or any attachments and do
> not use it for any purpose or disclose its content to any person, but
> delete this message and any attachments from your system. Astrium
> disclaims any and all liability if this email transmission was virus
> corrupted, altered or falsified.
> ---------------------------------------------------------------------
> Astrium Limited, Registered in England and Wales No. 2449259
> Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1
2AS,
> England
>
>
>
>
> Notice to recipient:
> The information in this internet e-mail and any attachments is
confidential and may be privileged. It is intended solely for the
addressee. If you are not the intended addressee please notify the
sender immediately by telephone. If you are not the intended recipient,
any disclosure, copying, distribution or any action taken or omitted to
be taken in reliance on it, is prohibited and may be unlawful.
>
> When addressed to external clients any opinions or advice contained in
this internet e-mail are subject to the terms and conditions expressed
in any applicable governing terms of business or client engagement
letter issued by the pertinent Bank of America group entity.
>
> If this email originates from the U.K. please note that Bank of
America, N.A., London Branch and Banc of America Securities Limited are
authorised and regulated by the Financial Services Authority.
>



Notice to recipient:
The information in this internet e-mail and any attachments is
confidential and may be privileged. It is intended solely for the
addressee. If you are not the intended addressee please notify the
sender immediately by telephone. If you are not the intended recipient,
any disclosure, copying, distribution or any action taken or omitted to
be taken in reliance on it, is prohibited and may be unlawful.

When addressed to external clients any opinions or advice contained in
this internet e-mail are subject to the terms and conditions expressed
in any applicable governing terms of business or client engagement
letter issued by the pertinent Bank of America group entity.

If this email originates from the U.K. please note that Bank of America,
N.A., London Branch and Banc of America Securities Limited are
authorised and regulated by the Financial Services Authority.
_______________________________________________
Veritas-bu maillist  -  Veritas-bu at mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

_______________________________________________
Veritas-bu maillist  -  Veritas-bu at mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu