In my interactions with numerous customers through my role, a recurring concern is their reluctance to grant open sudo access. However, many are more receptive to the idea of allowing limited sudo commands specifically needed by the application.
Today, let's explore the sudo commands required by Veeam Backup & Replication v12 for the Veeam Agent for Linux. Bear in mind that this list is subject to modification based on community feedback. I encourage you to participate in this collaborative effort – feel free to suggest additions or removals to this list, which I've compiled based on my preliminary research.
The necessary sudo commands for the veeamserviceraccount are as follows:
veeamserveraccount ALL=/usr/bin/i -d /tmp/ ],/usr/bin/id,/usr/bin/whoami,/usr/bin/mkdir,/usr/bin/rmdir,/usr/bin/arch,/usr/bin/uname,/opt/veeam/veeaminstaller,/usr/bin/rm,/usr/bin/cp,/usr/bin/chown,/usr/bin/veeamconfig,/usr/bin/chmod,/usr/bin/mv,/usr/bin/sh,/usr/bin/touch,/tmp/VeeamAgent*-*-*-*,/usr/bin/ps,/usr/sbin/modinfo,/usr/bin/scp,/bin/find,/bin/ls,/opt/veeam/deployment/veeamdeploymentsvc,/opt/veeam/transport/veeamtransport-link,/bin/tar,/opt/veeam/transport/veeamtransport
Now, let's discuss how you can assign limited sudo access to a user in Linux:
- Open the Sudoers File: Use visudo command to safely edit the sudoers file. This prevents syntax errors and maintains file integrity.
- Specify User and Commands: In the sudoers file, specify the user and the commands they are allowed to execute. Use the format username ALL=(ALL) NOPASSWD: /path/to/command. Replace username with the actual user's name and /path/to/command with the command you're permitting.
- Limit Access: To restrict the user to specific commands, list each allowed command separated by commas. Ensure no spaces are used between the commas and commands.
- Save and Exit: After specifying the commands, save the file and exit. The visudo editor typically uses vi commands, so you can save and exit by typing :wq.
- Test the Configuration: Finally, test the configuration to ensure the user has the correct limited sudo access.
Remember, providing limited sudo access is a crucial aspect of maintaining system security while enabling necessary functionalities. As always, stay tuned for more insights and updates from the field!