Veritas-bu
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Veritas-bu] Start NBU non-root

2007-05-15 22:01:02
Subject: [Veritas-bu] Start NBU non-root
From: ewilts at ewilts.org (Ed Wilts)
Date: Tue, 15 May 2007 21:01:02 -0500 
One word of caution - if your script isn't absolutely rock solid, you could
potentially set yourself up for a world of hurt.  For example, if you allow
apache to run bprestore via sudo and don't properly restrict the source and
target destinations, you could find yourself allowing a user to restore
~/myownpasswd.file to an arbitrary Unix host and now you have one or more
compromised system.  If the user can restore the passwd file on your
NetBackup master, you now have a totally compromised environment since he
can now restore anything to anywhere as well as having full read access to
everything.

If all you're doing is information retrieval - e.g. NetBackup reporting,
then you'd be well advised to purchase a NetBackup reporting tool like
Aptare StorageConsole or use the NetBackup Operations Manager.  Although I
have not used NOM, I do know that by default, StorageConsole has no write
access to your NetBackup environment so your users can't compromise your
backups.

 .../Ed

--
Ed Wilts, Mounds View, MN, USA
mailto:ewilts at ewilts.org

I GoodSearch for Bundles Of Love
http://www.goodsearch.com/?charityid=821118 

> -----Original Message-----
> From: veritas-bu-bounces at mailman.eng.auburn.edu [mailto:veritas-bu-
> bounces at mailman.eng.auburn.edu] On Behalf Of McCammont, Anderson (IT)
> Sent: Tuesday, May 15, 2007 7:03 AM
> To: Curtis Preston; Clooney, David; Jeff Lightner; Jones, Courtenay;
> Justin Piszcz
> Cc: veritas-bu at mailman.eng.auburn.edu
> Subject: Re: [Veritas-bu] Start NBU non-root
> 
> My point is that if it's your script then you can assess and to an
> extent control/mitigate the security exposure, which is much more
> preferable to messing with the permissions on other applications which
> can expose you further.
> 
> You can still run the script in the context of the webserver
> (apache/nobody) and use sudo to elevate the permissions of the script
> accordingly if necessary to achieve the task at hand.  ie. the CGI
> script calls sudo RunMyNetbackupCommand for the commands that require
> elevated rights.
> 
> Good point on NOM though.  Personally I've no experience of it.
> 
> > -----Original Message-----
> > From: Curtis Preston [mailto:cpreston at glasshouse.com]
> > Sent: 14 May 2007 17:28
> > To: McCammont, Anderson (IT); Clooney, David; Jeff Lightner;
> > Jones, Courtenay; Justin Piszcz
> > Cc: veritas-bu at mailman.eng.auburn.edu
> > Subject: RE: [Veritas-bu] Start NBU non-root
> >
> > Unfortunately, running cgi commands as anything other than nobody or
> > apache is also considered dangerous.
> >
> > Sounds like you're screwed either way.
> >
> > Have you taken a look at NetBackup Operations Manager?  It allows
> some
> > management functionality via the web.
> >
> > ---
> > W. Curtis Preston
> > Author of O'Reilly's Backup & Recovery and Using SANs and NAS
> > VP Data Protection
> > GlassHouse Technologies
> >
> >
> > -----Original Message-----
> > From: veritas-bu-bounces at mailman.eng.auburn.edu
> > [mailto:veritas-bu-bounces at mailman.eng.auburn.edu] On Behalf Of
> > McCammont, Anderson (IT)
> > Sent: Monday, May 14, 2007 5:57 AM
> > To: Clooney, David; Jeff Lightner; Jones, Courtenay; Justin Piszcz
> > Cc: veritas-bu at mailman.eng.auburn.edu
> > Subject: Re: [Veritas-bu] Start NBU non-root
> >
> > I'm not sure what you want to achieve, but if you're looking
> > to provide
> > a CGI script that exposes some netbackup functionality then
> > I'd suggest
> > you  elevate the permissions of your CGI appropriately at the points
> > necessary, eg. by running the netbackup commands you care about from
> > within your CGI under sudo(8) or somesuch as suggested by another
> > poster.  This way Netbackup and Apache stay appropriately
> permissioned
> > and you retain control of the parts of your CGI script that get the
> > elevated rights.
> >
> > > -----Original Message-----
> > > From: Clooney, David [mailto:david.clooney at bankofamerica.com]
> > > Sent: 14 May 2007 13:16
> > > To: McCammont, Anderson (IT); Jeff Lightner; Jones,
> > > Courtenay; Justin Piszcz
> > > Cc: veritas-bu at mailman.eng.auburn.edu
> > > Subject: RE: [Veritas-bu] Start NBU non-root
> > >
> > > Much appreciated for your input Anderson,
> > >
> > > Can you suggest a better scenario in which you would be able
> > > to run NBU
> > > ,master/media server binaries to satisfy the requests
> > > initiated through
> > > CGI ?
> > >
> > > Dave
> > >
> > > -----Original Message-----
> > > From: McCammont, Anderson (IT)
> > > [mailto:Anderson.Mccammont at morganstanley.com]
> > > Sent: 14 May 2007 12:55
> > > To: Clooney, David; Jeff Lightner; Jones, Courtenay; Justin Piszcz
> > > Cc: veritas-bu at mailman.eng.auburn.edu
> > > Subject: RE: [Veritas-bu] Start NBU non-root
> > >
> > > Really, this is a bad idea.  Putting suid on code that you
> > > don't own or
> > > haven't reviewed the source code of is a substantial security
> > > exposure.
> > > You're not only not buying yourself anything (the executables would
> > > still be running with and effective UID of root), you're
> > also exposing
> > > yourself to a large number of other issues - eg. binaries that
> would
> > > have normally run in the user's context are now running as
> > > root, opening
> > > yourself up to much more vulnarability.
> > >
> > > If there's any belief that Nebackup is suitably secure that
> > this is an
> > > acceptable risk, spend 10 minutes with fuser/lsof +
> > > strace/truss and one
> > > will be very suspect of their socket code and handling of file
> > > descriptors (in 5.x at least - I can't speak to 6.x, anyone?).
> > > Alternatively look at some of the Netbackup security advisories
> > > published.  Note, that's for code they're expecting to run as root
> -
> > > you've no idea what you're exposing yourself to elsewhere in the
> > > application that you've just opened up.  Symantec wouldn't
> > > condone this
> > > practise either I'm sure.
> > >
> > > Sorry for the rant, but you really are better running as root.
> > > That said, if all you're interested in is the client portion of
> > > Netbackup not running as root, AFAIK it's only using reserved
> > > ports for
> > > outbound connections (that you could potentially turn off with
> > > CONNECT_OPTIONS in bp.conf) and if you've got read
> > permission for all
> > > the files and ask NBU not to update the mtime/atime then I
> > can't think
> > > what it may need to be root for, though I wouldn't be at
> > all surprised
> > > to find out that it does.  It may be worth a call to support to
> > > determine why the client requires root if this is your usage case.
> > >
> > >
> > > > -----Original Message-----
> > > > From: veritas-bu-bounces at mailman.eng.auburn.edu
> > > > [mailto:veritas-bu-bounces at mailman.eng.auburn.edu] On Behalf
> > > > Of Clooney, David
> > > > Sent: 14 May 2007 09:47
> > > > To: Jeff Lightner; Jones, Courtenay; Justin Piszcz
> > > > Cc: veritas-bu at mailman.eng.auburn.edu
> > > > Subject: Re: [Veritas-bu] Start NBU non-root
> > > >
> > > > All,
> > > >
> > > > Thanks for everyone's response, I eventually have setuid on
> > > > the binaries
> > > > and changed the group on the binaries to that of the
> > service account
> > > > being used by apache which all seems to work fine.
> > > >
> > > > Suppose the downfall and my vulnerability would lie in the
> > > > exploitation
> > > > of netbackup.
> > > >
> > > > Regards
> > > >
> > > > Dave
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Jeff Lightner [mailto:jlightner at water.com]
> > > > Sent: 11 May 2007 15:21
> > > > To: Jones, Courtenay; Clooney, David; Justin Piszcz
> > > > Cc: veritas-bu at mailman.eng.auburn.edu
> > > > Subject: RE: [Veritas-bu] Start NBU non-root
> > > >
> > > > I think his issue is that a PHB that doesn't understand
> > > UNIX/Linux and
> > > > only (thinks he) knows that "root is bad" is trying to
> > > eliminate root.
> > > > The issue isn't how it is starting but what user it is running
> as.
> > > > Since sudo would run it as root he'd still have the same
> > > education of
> > > > PHB to do.
> > > >
> > > > The reason it needs to be root is only root can read ALL
> > > files.   Even
> > > > if it is a master it is assumed it would be backing itself up so
> > > > Veritas/Symantec had no reason to write in the ability to
> > run it as
> > > > anything other than root even on a "master only" server.
> > > >
> > > > -----Original Message-----
> > > > From: veritas-bu-bounces at mailman.eng.auburn.edu
> > > > [mailto:veritas-bu-bounces at mailman.eng.auburn.edu] On
> > > Behalf Of Jones,
> > > > Courtenay
> > > > Sent: Friday, May 11, 2007 9:44 AM
> > > > To: Clooney, David; Justin Piszcz
> > > > Cc: veritas-bu at mailman.eng.auburn.edu
> > > > Subject: Re: [Veritas-bu] Start NBU non-root
> > > >
> > > > Could you use sudo functionality?
> > > >
> > > >
> > > > Regards,
> > > >
> > > >
> > > > -cj
> > > > Courtenay Jones
> > > > UNIX Systems Engineer, Raleigh Technology Centre
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: veritas-bu-bounces at mailman.eng.auburn.edu
> > > > [mailto:veritas-bu-bounces at mailman.eng.auburn.edu] On Behalf
> > > > Of Clooney,
> > > > David
> > > > Sent: Friday, May 11, 2007 5:42 AM
> > > > To: Justin Piszcz
> > > > Cc: veritas-bu at mailman.eng.auburn.edu
> > > > Subject: Re: [Veritas-bu] Start NBU non-root
> > > >
> > > > Thanks Justin,
> > > >
> > > > Well I guess that's that then :-)
> > > >
> > > > Dave
> > > >
> > > > -----Original Message-----
> > > > From: Justin Piszcz [mailto:jpiszcz at lucidpixels.com]
> > > > Sent: 11 May 2007 10:40
> > > > To: Clooney, David
> > > > Cc: veritas-bu at mailman.eng.auburn.edu
> > > > Subject: Re: [Veritas-bu] Start NBU non-root
> > > >
> > > > NBU requires root.  End of story really.
> > > >
> > > > Justin.
> > > >
> > > > On Fri, 11 May 2007, Clooney, David wrote:
> > > >
> > > > > Hi all,
> > > > >
> > > > >
> > > > >
> > > > > Scenario:  Linux RD 3 5.1 MP6
> > > > >
> > > > >
> > > > >
> > > > > Does anyone know if its possible to start netbackup as non
> > > > root? Know
> > > > it
> > > > > sounds strange however this server is used merely for
> > > info retrieval
> > > > > from other masters through CGI, currently policy specifies
> > > > that apache
> > > > > cannot be started as root understandably for security reasons.
> > > > >
> > > > >
> > > > >
> > > > > If I could start NBU as the same user as what apache
> > > does, it would
> > > > make
> > > > > my life a lot easier ?
> > > > >
> > > > >
> > > > >
> > > > > Regards
> > > > >
> > > > >
> > > > >
> > > > > Dave
> > >
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Veritas-bu] Old Issue Back with MP4?, Brooks, Jason
Next by Date:  [Veritas-bu] Exchange agent question, WEAVER, Simon (external)
Previous by Thread:  [Veritas-bu] Start NBU non-root, McCammont, Anderson (IT)
Next by Thread:  [Veritas-bu] Start NBU non-root, David Rock
Indexes:  [Date] [Thread] [Top] [All Lists]