[Veritas-bu] Start NBU non-root
2007-05-16 10:37:08
Subject: |
[Veritas-bu] Start NBU non-root |
From: |
dave-bu at graniteweb.com (David Rock) |
Date: |
Wed, 16 May 2007 09:37:08 -0500 |
* Ed Wilts <ewilts at ewilts.org> [2007-05-15 21:01]:
> One word of caution - if your script isn't absolutely rock solid, you could
> potentially set yourself up for a world of hurt. For example, if you allow
> apache to run bprestore via sudo and don't properly restrict the source and
> target destinations, you could find yourself allowing a user to restore
> ~/myownpasswd.file to an arbitrary Unix host and now you have one or more
> compromised system. If the user can restore the passwd file on your
> NetBackup master, you now have a totally compromised environment since he
> can now restore anything to anywhere as well as having full read access to
> everything.
I couldn't agree with this more. We had a couple commands that we
allowed certain users to sudo to that were READ ONLY tools, like
bppllist. I don't even like our operators having access to the Activity
Monitor through the java GUI because it's not just viewing. NBU has a
wretched excuse for a security model.
--
David Rock
david at graniteweb.com
|
<Prev in Thread] |
Current Thread |
[Next in Thread> |
- [Veritas-bu] Start NBU non-root, (continued)
- [Veritas-bu] Start NBU non-root, Clooney, David
- [Veritas-bu] Start NBU non-root, Jones, Courtenay
- [Veritas-bu] Start NBU non-root, Jeff Lightner
- [Veritas-bu] Start NBU non-root, Clooney, David
- [Veritas-bu] Start NBU non-root, McCammont, Anderson (IT)
- [Veritas-bu] Start NBU non-root, Clooney, David
- [Veritas-bu] Start NBU non-root, McCammont, Anderson (IT)
- [Veritas-bu] Start NBU non-root, Curtis Preston
- [Veritas-bu] Start NBU non-root, McCammont, Anderson (IT)
- [Veritas-bu] Start NBU non-root, Ed Wilts
- [Veritas-bu] Start NBU non-root,
David Rock <=
|
|
|