Author: david.clooney at bankofamerica.com (Clooney, David)
Date: Fri, 11 May 2007 10:27:03 +0100
Hi all, Scenario: Linux RD 3 5.1 MP6 Does anyone know if its possible to start netbackup as non root? Know it sounds strange however this server is used merely for info retrieval from other masters t
Author: david.clooney at bankofamerica.com (Clooney, David)
Date: Fri, 11 May 2007 10:41:54 +0100
Thanks Justin, Well I guess that's that then :-) Dave NBU requires root. End of story really. Justin. On Fri, 11 May 2007, Clooney, David wrote: it make 2AS, confidential and may be privileged. It is
Author: Patrick.Whelan at colt.net (Whelan, Patrick)
Date: Fri, 11 May 2007 10:49:40 +0100
True, NetBackup does require root, but you might be able to setuid on the start-up script and execute it that way, have never actually tried. I have, in the past setuid on all the entire executables
Author: david.clooney at bankofamerica.com (Clooney, David)
Date: Fri, 11 May 2007 10:50:24 +0100
Justin, Another thought then, would it be possible to give the apache user permissions to read and execute all the netbackup binaries. If so would the commands be successful ? Dave --Original Message
Author: jpiszcz at lucidpixels.com (Justin Piszcz)
Date: Fri, 11 May 2007 05:52:22 -0400 (EDT)
Someone tried to do this in a previous environment that I took over last year, the problem? When you upgrade, it will all break. The 'hack' they implemented was to make sure all of the binaries were
Author: david.clooney at bankofamerica.com (Clooney, David)
Date: Fri, 11 May 2007 11:02:26 +0100
Thanks Justin, Not such a bad idea, as this server is merely a vm slice that doesn't do any backups, it purely has the binaries installed in order to retrieve info from the other masters. Dave Someon
Author: courtenay.jones at StockSupply.com (Jones, Courtenay)
Date: Fri, 11 May 2007 09:44:23 -0400
Could you use sudo functionality? Regards, -cj Courtenay Jones UNIX Systems Engineer, Raleigh Technology Centre --Original Message-- From: veritas-bu-bounces at mailman.eng.auburn.edu [mailto:veritas
I think his issue is that a PHB that doesn't understand UNIX/Linux and only (thinks he) knows that "root is bad" is trying to eliminate root. The issue isn't how it is starting but what user it is ru
Author: david.clooney at bankofamerica.com (Clooney, David)
Date: Mon, 14 May 2007 09:46:37 +0100
All, Thanks for everyone's response, I eventually have setuid on the binaries and changed the group on the binaries to that of the service account being used by apache which all seems to work fine. S
Author: Anderson.Mccammont at morganstanley.com (McCammont, Anderson (IT))
Date: Mon, 14 May 2007 12:54:50 +0100
Really, this is a bad idea. Putting suid on code that you don't own or haven't reviewed the source code of is a substantial security exposure. You're not only not buying yourself anything (the execut
Author: david.clooney at bankofamerica.com (Clooney, David)
Date: Mon, 14 May 2007 13:16:19 +0100
Much appreciated for your input Anderson, Can you suggest a better scenario in which you would be able to run NBU ,master/media server binaries to satisfy the requests initiated through CGI ? Dave --
Author: Anderson.Mccammont at morganstanley.com (McCammont, Anderson (IT))
Date: Mon, 14 May 2007 13:56:47 +0100
I'm not sure what you want to achieve, but if you're looking to provide a CGI script that exposes some netbackup functionality then I'd suggest you elevate the permissions of your CGI appropriately a
Author: cpreston at glasshouse.com (Curtis Preston)
Date: Mon, 14 May 2007 12:27:31 -0400
Unfortunately, running cgi commands as anything other than nobody or apache is also considered dangerous. Sounds like you're screwed either way. Have you taken a look at NetBackup Operations Manager?
Author: Anderson.Mccammont at morganstanley.com (McCammont, Anderson (IT))
Date: Tue, 15 May 2007 13:02:47 +0100
My point is that if it's your script then you can assess and to an extent control/mitigate the security exposure, which is much more preferable to messing with the permissions on other applications w
One word of caution - if your script isn't absolutely rock solid, you could potentially set yourself up for a world of hurt. For example, if you allow apache to run bprestore via sudo and don't prope
* Ed Wilts <ewilts at ewilts.org> [2007-05-15 21:01]: I couldn't agree with this more. We had a couple commands that we allowed certain users to sudo to that were READ ONLY tools, like bppllist. I do