Veritas-bu
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Veritas-bu] Non-root administration

2008-07-02 20:05:04
Subject: Re: [Veritas-bu] Non-root administration
From: Kyle Oliver <k_f_o AT yahoo DOT com>
To: veritas-bu AT mailman.eng.auburn DOT edu
Date: Wed, 2 Jul 2008 16:46:37 -0700 (PDT) 
Let me start by saying that I have made many attempts to implement VxSS, with 
extremely limited success.  I caution anyone who is considering implementing 
VxSS in an existing environment.  I can almost promise you that the backups 
will fail and you will pull some of your hair out.  The only times that I have 
been successful with VxSS have been small lab environments where I implemented 
it from the start.  Even then, the implementation is clear as mud.

I can also tell you that sudo and RBAC methods do not work to circumvent the 
root requirement for NetBackup either.  The binaries are hard-coded to look for 
root (uid 0) and they fail if the user running them is not root or uid 0.

Sorry to rain on your parade or likely confirm what you already know, but 
NetBackup almost forces your hand to be root.

On a possible brighter note, some of the netbackup commands give data to 
non-root users, though I will caution that we have seen cases that the output 
is not the same for root and non-root users.  I would imagine that some of the 
commands that you are looking for are root only though.  I believe that there 
are ways to grant other users access to the GUI, but I have not tried this, as 
I needed script/CLI access.

For any Symantec folks reading the list, I can assure you that granting 
non-root access to users is much easier with competitive backup products that 
will remain nameless.

-Kyle



------
On Wed, Jul 2, 2008 at 8:06 AM, Esson, Paul <Paul.Esson AT redstor DOT com>
wrote:

    Can I ask the group with UNIX Master Servers how they administer
NetBackup?  We have just moved up to 6.5 on Solaris 10 from 5.x and
discovered the nonroot_admin script is gone.  I could re-apply the
equivalent manually but this method obviously has limitations.

    

    I need to be able to run various commands use these in scripts
and edit certain files on the Master and the UNIX admin won't give me
root access.  Will sudo help here?


We use sudo extensively here but then we use it to get root.  Our DBAs
use sudo to be able to kick off database restores from our master
server.

A UNIX admin that will let you backup and restore his system but won't
give you root access is being very shortsighted.  If he thinks he's
added any level of security at all, he's wrong.  You can simply
"restore" your own copy of the password file, sudoers, etc.  If you are
able to do backups and restores, you effectively have total control of
those systems.

We have a good working relationship with our system admins - we manage
the application from start to finish but they manage the OS, including
patches.  We always communicate what we're doing and why.  Once you
build that level of trust, you should be able to get the access you need
to do your job completely.

If the admins are going to be pains, however, call them frequently in
the middle of the night.  Every time a backup job fails, wake them up
and ask them to look at a log or config file.  They'll get the hint...
:-)


I believe I've said it here before - if you don't trust your backup
administrator, find yourself another one.  The same holds true for your
system administrators and everybody who has physical access to your
systems.  And your receptionists :-)

   .../Ed

-- 
Ed Wilts, Mounds View, MN, USA
RHCE, BCFP, BCSD, SCSP, SCSE
mailto:ewilts AT ewilts DOT org

If I've helped you, please make a donation to my favorite charity at
http://firstgiving.com/edwilts 






This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
http://mailman.eng.auburn.edu/pipermail/veritas-bu/attachments/20080702/cf430c31/attachment-0001.htm
_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Veritas-bu] How to get list of NBU Media Server by Commandli ne, Mark.Donaldson
Next by Date:  [Veritas-bu] Unable to determine robot type, Esson, Paul
Previous by Thread:  [Veritas-bu] Vault question., Michitsch, John
Next by Thread:  [Veritas-bu] NB 6.0 Analyzing Wait and Delay counters (Performance Tuning), Nathan Kippen
Indexes:  [Date] [Thread] [Top] [All Lists]