Really, this is a bad idea.  Putting suid on code that you don't own or
haven't reviewed the source code of is a substantial security exposure.
You're not only not buying yourself anything (the executables would
still be running with and effective UID of root), you're also exposing
yourself to a large number of other issues - eg. binaries that would
have normally run in the user's context are now running as root, opening
yourself up to much more vulnarability.  

If there's any belief that Nebackup is suitably secure that this is an
acceptable risk, spend 10 minutes with fuser/lsof + strace/truss and one
will be very suspect of their socket code and handling of file
descriptors (in 5.x at least - I can't speak to 6.x, anyone?).
Alternatively look at some of the Netbackup security advisories
published.  Note, that's for code they're expecting to run as root -
you've no idea what you're exposing yourself to elsewhere in the
application that you've just opened up.  Symantec wouldn't condone this
practise either I'm sure.   

Sorry for the rant, but you really are better running as root.
That said, if all you're interested in is the client portion of
Netbackup not running as root, AFAIK it's only using reserved ports for
outbound connections (that you could potentially turn off with
CONNECT_OPTIONS in bp.conf) and if you've got read permission for all
the files and ask NBU not to update the mtime/atime then I can't think
what it may need to be root for, though I wouldn't be at all surprised
to find out that it does.  It may be worth a call to support to
determine why the client requires root if this is your usage case.


> -----Original Message-----
> From: veritas-bu-bounces at mailman.eng.auburn.edu 
> [mailto:veritas-bu-bounces at mailman.eng.auburn.edu] On Behalf 
> Of Clooney, David
> Sent: 14 May 2007 09:47
> To: Jeff Lightner; Jones, Courtenay; Justin Piszcz
> Cc: veritas-bu at mailman.eng.auburn.edu
> Subject: Re: [Veritas-bu] Start NBU non-root
> 
> All,
> 
> Thanks for everyone's response, I eventually have setuid on 
> the binaries
> and changed the group on the binaries to that of the service account
> being used by apache which all seems to work fine. 
> 
> Suppose the downfall and my vulnerability would lie in the 
> exploitation
> of netbackup.
> 
> Regards
> 
> Dave
> 
> 
> 
> 
> -----Original Message-----
> From: Jeff Lightner [mailto:jlightner at water.com] 
> Sent: 11 May 2007 15:21
> To: Jones, Courtenay; Clooney, David; Justin Piszcz
> Cc: veritas-bu at mailman.eng.auburn.edu
> Subject: RE: [Veritas-bu] Start NBU non-root
> 
> I think his issue is that a PHB that doesn't understand UNIX/Linux and
> only (thinks he) knows that "root is bad" is trying to eliminate root.
> The issue isn't how it is starting but what user it is running as.
> Since sudo would run it as root he'd still have the same education of
> PHB to do.
> 
> The reason it needs to be root is only root can read ALL files.   Even
> if it is a master it is assumed it would be backing itself up so
> Veritas/Symantec had no reason to write in the ability to run it as
> anything other than root even on a "master only" server.
> 
> -----Original Message-----
> From: veritas-bu-bounces at mailman.eng.auburn.edu
> [mailto:veritas-bu-bounces at mailman.eng.auburn.edu] On Behalf Of Jones,
> Courtenay
> Sent: Friday, May 11, 2007 9:44 AM
> To: Clooney, David; Justin Piszcz
> Cc: veritas-bu at mailman.eng.auburn.edu
> Subject: Re: [Veritas-bu] Start NBU non-root
> 
> Could you use sudo functionality? 
> 
> 
> Regards,
> 
>  
> -cj
> Courtenay Jones
> UNIX Systems Engineer, Raleigh Technology Centre
> 
> 
> 
> -----Original Message-----
> From: veritas-bu-bounces at mailman.eng.auburn.edu
> [mailto:veritas-bu-bounces at mailman.eng.auburn.edu] On Behalf 
> Of Clooney,
> David
> Sent: Friday, May 11, 2007 5:42 AM
> To: Justin Piszcz
> Cc: veritas-bu at mailman.eng.auburn.edu
> Subject: Re: [Veritas-bu] Start NBU non-root
> 
> Thanks Justin,
> 
> Well I guess that's that then :-)
> 
> Dave
> 
> -----Original Message-----
> From: Justin Piszcz [mailto:jpiszcz at lucidpixels.com] 
> Sent: 11 May 2007 10:40
> To: Clooney, David
> Cc: veritas-bu at mailman.eng.auburn.edu
> Subject: Re: [Veritas-bu] Start NBU non-root
> 
> NBU requires root.  End of story really.
> 
> Justin.
> 
> On Fri, 11 May 2007, Clooney, David wrote:
> 
> > Hi all,
> >
> >
> >
> > Scenario:  Linux RD 3 5.1 MP6
> >
> >
> >
> > Does anyone know if its possible to start netbackup as non 
> root? Know
> it
> > sounds strange however this server is used merely for info retrieval
> > from other masters through CGI, currently policy specifies 
> that apache
> > cannot be started as root understandably for security reasons.
> >
> >
> >
> > If I could start NBU as the same user as what apache does, it would
> make
> > my life a lot easier ?
> >
> >
> >
> > Regards
> >
> >
> >
> > Dave
> >
> > This email (including any attachments) may contain 
> confidential and/or
> > privileged information or information otherwise protected from
> > disclosure. If you are not the intended recipient, please notify the
> > sender immediately, do not copy this message or any 
> attachments and do
> > not use it for any purpose or disclose its content to any 
> person, but
> > delete this message and any attachments from your system. Astrium
> > disclaims any and all liability if this email transmission was virus
> > corrupted, altered or falsified.
> > 
> ---------------------------------------------------------------------
> > Astrium Limited, Registered in England and Wales No. 2449259
> > Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1
> 2AS,
> > England
> >
> >
> >
> >
> > Notice to recipient:
> > The information in this internet e-mail and any attachments is
> confidential and may be privileged. It is intended solely for the
> addressee. If you are not the intended addressee please notify the
> sender immediately by telephone. If you are not the intended 
> recipient,
> any disclosure, copying, distribution or any action taken or 
> omitted to
> be taken in reliance on it, is prohibited and may be unlawful.
> >
> > When addressed to external clients any opinions or advice 
> contained in
> this internet e-mail are subject to the terms and conditions expressed
> in any applicable governing terms of business or client engagement
> letter issued by the pertinent Bank of America group entity.
> >
> > If this email originates from the U.K. please note that Bank of
> America, N.A., London Branch and Banc of America Securities 
> Limited are
> authorised and regulated by the Financial Services Authority.
> >
> 
> 
> 
> Notice to recipient:
> The information in this internet e-mail and any attachments is
> confidential and may be privileged. It is intended solely for the
> addressee. If you are not the intended addressee please notify the
> sender immediately by telephone. If you are not the intended 
> recipient,
> any disclosure, copying, distribution or any action taken or 
> omitted to
> be taken in reliance on it, is prohibited and may be unlawful.
> 
> When addressed to external clients any opinions or advice contained in
> this internet e-mail are subject to the terms and conditions expressed
> in any applicable governing terms of business or client engagement
> letter issued by the pertinent Bank of America group entity.
> 
> If this email originates from the U.K. please note that Bank 
> of America,
> N.A., London Branch and Banc of America Securities Limited are
> authorised and regulated by the Financial Services Authority.
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu at mailman.eng.auburn.edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> 
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu at mailman.eng.auburn.edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> _______________________________________________
> Veritas-bu maillist  -  Veritas-bu at mailman.eng.auburn.edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>
--------------------------------------------------------

NOTICE: If received in error, please destroy and notify sender. Sender does not 
intend to waive confidentiality or privilege. Use of this email is prohibited 
when received in error.