cancel
Showing results for 
Search instead for 
Did you mean: 

Nonroot administration of NBU on Unix command line

naughty_bits
Level 3
Certified

Hi all,

I'm looking for a way to have (6.0 and 6.5) master server(s) configured so that all the commands, log files, etc, can be run/accessed by an account other than root.  Is this possible (perhaps by a series of chown/chgrp commands) and/or documented somewhere?  I've looked through the Sysadmin guides and only found a way to configure the GUI for nonroot.

 

Thanks a bunch!

 

 

4 REPLIES 4

Omar_Villa
Level 6
Employee

This is a unix issue more than netbackup, the access to the files and commands depends on how you configure it you can always create groups to access some specific folders or use something like Keon or Sudo, so you can list which commands each user or group can use.

 

regards

sdo
Moderator
Moderator
Partner    VIP    Certified

It is possible.  We admin NBU from a non-root a/c on Solaris 10 active/passive VCS master server running v6.5.2A.

 

We only have write access to the log folders, and sudo access to most NetBackup commands.  We don't have write access to any scripts that NetBackup runs, e.g. backup_exit_notify - so we can't accidentally interject malicious code.  Basically, we have deliberately locked ourselves out of root level access.

 

We supplied the SA's with a long list of programs that we want to be able to sudo (e.g. bprdreq, bpdbjobs, vmdareq, etc...) but specifically exclued others (e.g. bpbkar, bpcd, bptm, etc...).

 

We also need read level access to quite a few files and folders (e.g. /dev/rmt, /etc/hosts, etc...) but you can work these out as you go along.

 

Basically, all you need is an SA who is willing to be responsive to quick changes to granting read access to files, and to making quick modifications to sudoers so that you can get on with your job.  In the end the number of requests for change will reduce as you expand your rights to folders, files and programs.

 

In summary, we can administer NetBackup just fine from a non-root account.  It's just a shame that Symantec don't supply a wizard to configure it for you.

naughty_bits
Level 3
Certified

Thanks for your quick response.  I kind of figured that it would be a manual process and it is a shame that Symantec hasn't picked up on this yet.  Well, I'm off to compile a list of things we need to run NBU and hope that the Unix SA's do not respond with a loud "You want what?!?!" :)

 

TTFN 

J_H_Is_gone
Level 6

there are a couple of other options - depending on how strict your unix security is.

 

Sudo - the SA can setup a sudoers file that allows "people in a list" to run "commands in a list" as root.

so they could set it up that you are allowed to run the netbackups commands as root.

they could also set it up that you can use the  more   command on the log files and dirs.

 

 

if your security is such that sudo is NOT allowed, they can get some software like Power Broker that does the same as sudo but is much more secure, reports all uses and who used it, records what happened.

 

Sudo is not usually allowed by auditers, where Power Broker is normally allowed.