Unfortunately, running cgi commands as anything other than nobody or
apache is also considered dangerous.
Sounds like you're screwed either way.
Have you taken a look at NetBackup Operations Manager? It allows some
management functionality via the web.
---
W. Curtis Preston
Author of O'Reilly's Backup & Recovery and Using SANs and NAS
VP Data Protection
GlassHouse Technologies
-----Original Message-----
From: veritas-bu-bounces at mailman.eng.auburn.edu
[mailto:veritas-bu-bounces at mailman.eng.auburn.edu] On Behalf Of
McCammont, Anderson (IT)
Sent: Monday, May 14, 2007 5:57 AM
To: Clooney, David; Jeff Lightner; Jones, Courtenay; Justin Piszcz
Cc: veritas-bu at mailman.eng.auburn.edu
Subject: Re: [Veritas-bu] Start NBU non-root
I'm not sure what you want to achieve, but if you're looking to provide
a CGI script that exposes some netbackup functionality then I'd suggest
you elevate the permissions of your CGI appropriately at the points
necessary, eg. by running the netbackup commands you care about from
within your CGI under sudo(8) or somesuch as suggested by another
poster. This way Netbackup and Apache stay appropriately permissioned
and you retain control of the parts of your CGI script that get the
elevated rights.
> -----Original Message-----
> From: Clooney, David [mailto:david.clooney at bankofamerica.com]
> Sent: 14 May 2007 13:16
> To: McCammont, Anderson (IT); Jeff Lightner; Jones,
> Courtenay; Justin Piszcz
> Cc: veritas-bu at mailman.eng.auburn.edu
> Subject: RE: [Veritas-bu] Start NBU non-root
>
> Much appreciated for your input Anderson,
>
> Can you suggest a better scenario in which you would be able
> to run NBU
> ,master/media server binaries to satisfy the requests
> initiated through
> CGI ?
>
> Dave
>
> -----Original Message-----
> From: McCammont, Anderson (IT)
> [mailto:Anderson.Mccammont at morganstanley.com]
> Sent: 14 May 2007 12:55
> To: Clooney, David; Jeff Lightner; Jones, Courtenay; Justin Piszcz
> Cc: veritas-bu at mailman.eng.auburn.edu
> Subject: RE: [Veritas-bu] Start NBU non-root
>
> Really, this is a bad idea. Putting suid on code that you
> don't own or
> haven't reviewed the source code of is a substantial security
> exposure.
> You're not only not buying yourself anything (the executables would
> still be running with and effective UID of root), you're also exposing
> yourself to a large number of other issues - eg. binaries that would
> have normally run in the user's context are now running as
> root, opening
> yourself up to much more vulnarability.
>
> If there's any belief that Nebackup is suitably secure that this is an
> acceptable risk, spend 10 minutes with fuser/lsof +
> strace/truss and one
> will be very suspect of their socket code and handling of file
> descriptors (in 5.x at least - I can't speak to 6.x, anyone?).
> Alternatively look at some of the Netbackup security advisories
> published. Note, that's for code they're expecting to run as root -
> you've no idea what you're exposing yourself to elsewhere in the
> application that you've just opened up. Symantec wouldn't
> condone this
> practise either I'm sure.
>
> Sorry for the rant, but you really are better running as root.
> That said, if all you're interested in is the client portion of
> Netbackup not running as root, AFAIK it's only using reserved
> ports for
> outbound connections (that you could potentially turn off with
> CONNECT_OPTIONS in bp.conf) and if you've got read permission for all
> the files and ask NBU not to update the mtime/atime then I can't think
> what it may need to be root for, though I wouldn't be at all surprised
> to find out that it does. It may be worth a call to support to
> determine why the client requires root if this is your usage case.
>
>
> > -----Original Message-----
> > From: veritas-bu-bounces at mailman.eng.auburn.edu
> > [mailto:veritas-bu-bounces at mailman.eng.auburn.edu] On Behalf
> > Of Clooney, David
> > Sent: 14 May 2007 09:47
> > To: Jeff Lightner; Jones, Courtenay; Justin Piszcz
> > Cc: veritas-bu at mailman.eng.auburn.edu
> > Subject: Re: [Veritas-bu] Start NBU non-root
> >
> > All,
> >
> > Thanks for everyone's response, I eventually have setuid on
> > the binaries
> > and changed the group on the binaries to that of the service account
> > being used by apache which all seems to work fine.
> >
> > Suppose the downfall and my vulnerability would lie in the
> > exploitation
> > of netbackup.
> >
> > Regards
> >
> > Dave
> >
> >
> >
> >
> > -----Original Message-----
> > From: Jeff Lightner [mailto:jlightner at water.com]
> > Sent: 11 May 2007 15:21
> > To: Jones, Courtenay; Clooney, David; Justin Piszcz
> > Cc: veritas-bu at mailman.eng.auburn.edu
> > Subject: RE: [Veritas-bu] Start NBU non-root
> >
> > I think his issue is that a PHB that doesn't understand
> UNIX/Linux and
> > only (thinks he) knows that "root is bad" is trying to
> eliminate root.
> > The issue isn't how it is starting but what user it is running as.
> > Since sudo would run it as root he'd still have the same
> education of
> > PHB to do.
> >
> > The reason it needs to be root is only root can read ALL
> files. Even
> > if it is a master it is assumed it would be backing itself up so
> > Veritas/Symantec had no reason to write in the ability to run it as
> > anything other than root even on a "master only" server.
> >
> > -----Original Message-----
> > From: veritas-bu-bounces at mailman.eng.auburn.edu
> > [mailto:veritas-bu-bounces at mailman.eng.auburn.edu] On
> Behalf Of Jones,
> > Courtenay
> > Sent: Friday, May 11, 2007 9:44 AM
> > To: Clooney, David; Justin Piszcz
> > Cc: veritas-bu at mailman.eng.auburn.edu
> > Subject: Re: [Veritas-bu] Start NBU non-root
> >
> > Could you use sudo functionality?
> >
> >
> > Regards,
> >
> >
> > -cj
> > Courtenay Jones
> > UNIX Systems Engineer, Raleigh Technology Centre
> >
> >
> >
> > -----Original Message-----
> > From: veritas-bu-bounces at mailman.eng.auburn.edu
> > [mailto:veritas-bu-bounces at mailman.eng.auburn.edu] On Behalf
> > Of Clooney,
> > David
> > Sent: Friday, May 11, 2007 5:42 AM
> > To: Justin Piszcz
> > Cc: veritas-bu at mailman.eng.auburn.edu
> > Subject: Re: [Veritas-bu] Start NBU non-root
> >
> > Thanks Justin,
> >
> > Well I guess that's that then :-)
> >
> > Dave
> >
> > -----Original Message-----
> > From: Justin Piszcz [mailto:jpiszcz at lucidpixels.com]
> > Sent: 11 May 2007 10:40
> > To: Clooney, David
> > Cc: veritas-bu at mailman.eng.auburn.edu
> > Subject: Re: [Veritas-bu] Start NBU non-root
> >
> > NBU requires root. End of story really.
> >
> > Justin.
> >
> > On Fri, 11 May 2007, Clooney, David wrote:
> >
> > > Hi all,
> > >
> > >
> > >
> > > Scenario: Linux RD 3 5.1 MP6
> > >
> > >
> > >
> > > Does anyone know if its possible to start netbackup as non
> > root? Know
> > it
> > > sounds strange however this server is used merely for
> info retrieval
> > > from other masters through CGI, currently policy specifies
> > that apache
> > > cannot be started as root understandably for security reasons.
> > >
> > >
> > >
> > > If I could start NBU as the same user as what apache
> does, it would
> > make
> > > my life a lot easier ?
> > >
> > >
> > >
> > > Regards
> > >
> > >
> > >
> > > Dave
> > >
> > > This email (including any attachments) may contain
> > confidential and/or
> > > privileged information or information otherwise protected from
> > > disclosure. If you are not the intended recipient, please
> notify the
> > > sender immediately, do not copy this message or any
> > attachments and do
> > > not use it for any purpose or disclose its content to any
> > person, but
> > > delete this message and any attachments from your system. Astrium
> > > disclaims any and all liability if this email
> transmission was virus
> > > corrupted, altered or falsified.
> > >
> >
> ---------------------------------------------------------------------
> > > Astrium Limited, Registered in England and Wales No. 2449259
> > > Registered Office: Gunnels Wood Road, Stevenage,
> Hertfordshire, SG1
> > 2AS,
> > > England
> > >
> > >
> > >
> > >
> > > Notice to recipient:
> > > The information in this internet e-mail and any attachments is
> > confidential and may be privileged. It is intended solely for the
> > addressee. If you are not the intended addressee please notify the
> > sender immediately by telephone. If you are not the intended
> > recipient,
> > any disclosure, copying, distribution or any action taken or
> > omitted to
> > be taken in reliance on it, is prohibited and may be unlawful.
> > >
> > > When addressed to external clients any opinions or advice
> > contained in
> > this internet e-mail are subject to the terms and
> conditions expressed
> > in any applicable governing terms of business or client engagement
> > letter issued by the pertinent Bank of America group entity.
> > >
> > > If this email originates from the U.K. please note that Bank of
> > America, N.A., London Branch and Banc of America Securities
> > Limited are
> > authorised and regulated by the Financial Services Authority.
> > >
> >
> >
> >
> > Notice to recipient:
> > The information in this internet e-mail and any attachments is
> > confidential and may be privileged. It is intended solely for the
> > addressee. If you are not the intended addressee please notify the
> > sender immediately by telephone. If you are not the intended
> > recipient,
> > any disclosure, copying, distribution or any action taken or
> > omitted to
> > be taken in reliance on it, is prohibited and may be unlawful.
> >
> > When addressed to external clients any opinions or advice
> contained in
> > this internet e-mail are subject to the terms and
> conditions expressed
> > in any applicable governing terms of business or client engagement
> > letter issued by the pertinent Bank of America group entity.
> >
> > If this email originates from the U.K. please note that Bank
> > of America,
> > N.A., London Branch and Banc of America Securities Limited are
> > authorised and regulated by the Financial Services Authority.
> > _______________________________________________
> > Veritas-bu maillist - Veritas-bu at mailman.eng.auburn.edu
> > http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> >
> > _______________________________________________
> > Veritas-bu maillist - Veritas-bu at mailman.eng.auburn.edu
> > http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> > _______________________________________________
> > Veritas-bu maillist - Veritas-bu at mailman.eng.auburn.edu
> > http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> >
> --------------------------------------------------------
>
> NOTICE: If received in error, please destroy and notify sender. Sender
> does not intend to waive confidentiality or privilege. Use of
> this email
> is prohibited when received in error.
>
>
>
> Notice to recipient:
> The information in this internet e-mail and any attachments
> is confidential and may be privileged. It is intended solely
> for the addressee. If you are not the intended addressee
> please notify the sender immediately by telephone. If you are
> not the intended recipient, any disclosure, copying,
> distribution or any action taken or omitted to be taken in
> reliance on it, is prohibited and may be unlawful.
>
> When addressed to external clients any opinions or advice
> contained in this internet e-mail are subject to the terms
> and conditions expressed in any applicable governing terms of
> business or client engagement letter issued by the pertinent
> Bank of America group entity.
>
> If this email originates from the U.K. please note that Bank
> of America, N.A., London Branch and Banc of America
> Securities Limited are authorised and regulated by the
> Financial Services Authority.
>
--------------------------------------------------------
NOTICE: If received in error, please destroy and notify sender. Sender
does not intend to waive confidentiality or privilege. Use of this email
is prohibited when received in error.
_______________________________________________
Veritas-bu maillist - Veritas-bu at mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
|
