Managing Limited Sudo Access in Linux: Essential Commands for Veeam Backup & Replication v12

  • 9 February 2024
  • 5 comments
  • 135 views

Userlevel 4
Badge +1

In my interactions with numerous customers through my role, a recurring concern is their reluctance to grant open sudo access. However, many are more receptive to the idea of allowing limited sudo commands specifically needed by the application.

Today, let's explore the sudo commands required by Veeam Backup & Replication v12 for the Veeam Agent for Linux. Bear in mind that this list is subject to modification based on community feedback. I encourage you to participate in this collaborative effort – feel free to suggest additions or removals to this list, which I've compiled based on my preliminary research.

The necessary sudo commands for the veeamserviceraccount are as follows:
 

veeamserveraccount ALL=/usr/bin/[ -d /tmp/ ],/usr/bin/id,/usr/bin/whoami,/usr/bin/mkdir,/usr/bin/rmdir,/usr/bin/arch,/usr/bin/uname,/opt/veeam/veeaminstaller,/usr/bin/rm,/usr/bin/cp,/usr/bin/chown,/usr/bin/veeamconfig,/usr/bin/chmod,/usr/bin/mv,/usr/bin/sh,/usr/bin/touch,/tmp/VeeamAgent*-*-*-*,/usr/bin/ps,/usr/sbin/modinfo,/usr/bin/scp,/bin/find,/bin/ls,/opt/veeam/deployment/veeamdeploymentsvc,/opt/veeam/transport/veeamtransport-link,/bin/tar,/opt/veeam/transport/veeamtransport

Now, let's discuss how you can assign limited sudo access to a user in Linux:

  1. Open the Sudoers File: Use visudo command to safely edit the sudoers file. This prevents syntax errors and maintains file integrity.
  1. Specify User and Commands: In the sudoers file, specify the user and the commands they are allowed to execute. Use the format username ALL=(ALL) NOPASSWD: /path/to/command. Replace username with the actual user's name and /path/to/command with the command you're permitting.
  1. Limit Access: To restrict the user to specific commands, list each allowed command separated by commas. Ensure no spaces are used between the commas and commands.
  1. Save and Exit: After specifying the commands, save the file and exit. The visudo editor typically uses vi commands, so you can save and exit by typing :wq.
  1. Test the Configuration: Finally, test the configuration to ensure the user has the correct limited sudo access.

Remember, providing limited sudo access is a crucial aspect of maintaining system security while enabling necessary functionalities. As always, stay tuned for more insights and updates from the field!


5 comments

Userlevel 7
Badge +15

Great modification @vmali . And one that’ll hopefully help mitigate hesitations users have in implementing Linux Veeam components in their environment

Userlevel 7
Badge +4

It is a very important topic and thanks for sharing, @vmali !

Userlevel 7
Badge +20

Love this as it meets security best practices and something everyone should look in to.  Thanks for sharing.

Userlevel 7
Badge +7

Hello @vmali , i had to do the reverse eng’ three years ago. I would have loved to read that hehe :).
Time to update our intenal ansible roles.

Could you tell me if it’s possible to have this information on the bp site? Is it updated with the new Veeam Deployment daemon?

I’m not a huge fan of veeam using /tmp to install the daemon, by default on OS hardened this mount point is noexec.

Userlevel 7
Badge +6

This is a very timely posting as I just came across visudo the other day as I am troubleshooting the deployment of a couple of linux CDP proxy’s.  Thanks for this!

Comment