Skip to main content

In my interactions with numerous customers through my role, a recurring concern is their reluctance to grant open sudo access. However, many are more receptive to the idea of allowing limited sudo commands specifically needed by the application.

Today, let's explore the sudo commands required by Veeam Backup & Replication v12 for the Veeam Agent for Linux. Bear in mind that this list is subject to modification based on community feedback. I encourage you to participate in this collaborative effort – feel free to suggest additions or removals to this list, which I've compiled based on my preliminary research.

The necessary sudo commands for the veeamserviceraccount are as follows:
 

veeamserveraccount ALL=/usr/bin/i -d /tmp/ ],/usr/bin/id,/usr/bin/whoami,/usr/bin/mkdir,/usr/bin/rmdir,/usr/bin/arch,/usr/bin/uname,/opt/veeam/veeaminstaller,/usr/bin/rm,/usr/bin/cp,/usr/bin/chown,/usr/bin/veeamconfig,/usr/bin/chmod,/usr/bin/mv,/usr/bin/sh,/usr/bin/touch,/tmp/VeeamAgent*-*-*-*,/usr/bin/ps,/usr/sbin/modinfo,/usr/bin/scp,/bin/find,/bin/ls,/opt/veeam/deployment/veeamdeploymentsvc,/opt/veeam/transport/veeamtransport-link,/bin/tar,/opt/veeam/transport/veeamtransport

Now, let's discuss how you can assign limited sudo access to a user in Linux:

  1. Open the Sudoers File: Use visudo command to safely edit the sudoers file. This prevents syntax errors and maintains file integrity.
  1. Specify User and Commands: In the sudoers file, specify the user and the commands they are allowed to execute. Use the format username ALL=(ALL) NOPASSWD: /path/to/command. Replace username with the actual user's name and /path/to/command with the command you're permitting.
  1. Limit Access: To restrict the user to specific commands, list each allowed command separated by commas. Ensure no spaces are used between the commas and commands.
  1. Save and Exit: After specifying the commands, save the file and exit. The visudo editor typically uses vi commands, so you can save and exit by typing :wq.
  1. Test the Configuration: Finally, test the configuration to ensure the user has the correct limited sudo access.

Remember, providing limited sudo access is a crucial aspect of maintaining system security while enabling necessary functionalities. As always, stay tuned for more insights and updates from the field!

Great modification @vmali . And one that’ll hopefully help mitigate hesitations users have in implementing Linux Veeam components in their environment


It is a very important topic and thanks for sharing, @vmali !


Love this as it meets security best practices and something everyone should look in to.  Thanks for sharing.


Hello @vmali , i had to do the reverse eng’ three years ago. I would have loved to read that hehe 🙂.
Time to update our intenal ansible roles.

Could you tell me if it’s possible to have this information on the bp site? Is it updated with the new Veeam Deployment daemon?

I’m not a huge fan of veeam using /tmp to install the daemon, by default on OS hardened this mount point is noexec.


This is a very timely posting as I just came across visudo the other day as I am troubleshooting the deployment of a couple of linux CDP proxy’s.  Thanks for this!


Thanks for the list of allowed commands!

Note, in my Ubuntu 20 LTS, many of the commands needed to have ‘/usr’ stripped from the path, as the commands live in /bin/ directory.

Also, had to add ‘/usr/bin/dpkg’.

Tip: Very handy to log in as your service account user, with just SSH client, and test that the account can execute each of the commands in the list (with sudo). Faster and more informative than iterating through multiple attempts to get the Veeam D&R console to rescan and/or install components.

Cheers!


Comment