Hello,
what are the minimum permissions that linux user needs to have to be able to do file level restore using Veeam?
Setup is as it follows:
I have Rocky Linux 9.5 OS VM and I have Win Server host where Veeam is located.
The goal is to be able to do file level restore from that Linux server. The thing is I need user for it.
What I would like to do, I only want the user to be able to do restore from one specific directory, I don’t want him to be able to see anything else or do anything else, except the restore part, what is the best way to achieve this?
Page 1 / 1
From the Veeam Agent for Linux User Guide, you need:
- Permissions on the Network Share Repos if you use that:
https://helpcenter.veeam.com/docs/agentforlinux/userguide/files_restore_before.html?ver=60 - Access Permissions on the VBR Repo if you use that:
https://helpcenter.veeam.com/docs/agentforlinux/userguide/integrate_permissions.html?ver=60 - I don’t see any other permissions required for the Linux host the Agent is on itself, but you would probably want to add the user as user owner & group owner of the folder area (and sub-folder/files) where you would allow the user to restore to
The best way to do this is, if you can, create a test Linux VM, create a local Veeam restore (service) account, then do test restores. Since the User Guide above doesn’t share what permissions specifically are needed on the Linux host itself, aside from testing, I’d reach out to Veeam Support.
Best.
over VIX protocol is possible to restore only with root - VMware design
over RPC/network - you can use less permission of users
as far as i have experience, each user will see entire image of VM, but restore will no allow you to restore, if you don't have permission
Thank you for answers.
Maybe I was not clear on what I am trying to achieve.
I do not need/want an agent. I have virtual machine that has Linux on it. Veeam is installed on win server.
I am trying to achieve that the Linux user that will be authorizing with ssh keypair and with him I will be connecting on Linux server to do restore with Veeam (that is on Windows), so that this user only can restore that files from specific directory and nothing else, I don’t want to give him sudo, I don’t him to be able to do other things on my system.
Can you help me with this I would appreciate it?
Hi, if you are using ssh key in the job, you don’t need to specify credentials by restore. You will use exactly permission as ssh key has. So directories you will see, even restore you can start, but files will be restored only that, which could be “managed” with this ssh key.
Hi, I am still beginner when it comes to Veeam and the question I will ask might sound dumb.
But, when I try to connect my Linux machine to Veeam, it’s asking me for the user even if I want to use ssh key-pair. I think I am confusing something with something?
in the backup job you have set guest credentials for this VM - Test now is working?
why you are using this ssh key? Do you have pre/post- script?
are you trying to restore form VBR console of from EM? Under which role do you trying to run restore?
why you are using this ssh key?
I am asked to.
Do you have pre/post- script?
No.
are you trying to restore form VBR console of from EM?
VBR console.
Under which role do you trying to run restore?
Veeam backup administrator.
in the backup job you have set guest credentials for this VM - Test now is working?
I do not see test now.
p.s. I can restore normally, but I would like to limit that one Linux user that I am using to this.
Basically I have to test and create plan for file level restore in my company and I did but there comes a question, I have to limit this linux user since we we don’t want to give sudo access (and apparently for FLR i have?) not sure.
Thank you for your time.
so you don’t use this ssh key in the job?
then is valid, what i wrote above
during restore process, you will specify ssh key - you will be able to see entire server structure, but restorable will be only part, for what has ssh key permission
this is valid if restore is over RPC, as over VIX protocol is root permission only
Yes and yes. The part I specified in Veeam right?
but when I am adding linux server to inventory and when it’s installing transporter and installer it’s asking me for credentials in that step, when I am giving user account name etc. it doesn’t work if I don’t give sudo access to that user this is what I am trying to avoid.
if you are adding linux VM into managed servers - this is as backup components, which requires full permission - there is no other way
i was talking about customer VMs ...
No, no, sorry as I said I am a beginner. It’s probably my fault for not explaining it precise enough.
Since you mentioned full permission, and now you know what is it about, can you tell me what is the best way to do it?
One user and give him sudo, or maybe some kind of limitations?
Thank you
Maybe I can use something like this
sudo visudo
flruser ALL=(ALL) NOPASSWD: /bin/mount, /bin/umount, /sbin/fdisk, /sbin/blkid, /sbin/lvdisplay, /sbin/vgdisplay, /sbin/pvdisplay
but in this case, how to know what does that user needs in order for this to work properly?
See this section in the VBR User Guide on Linux FLR:
https://helpcenter.veeam.com/docs/backup/vsphere/multios_restore_before_you_begin.html?ver=120
Specifically, scroll down to the following bullet item:
“...you must use a root account for the target VM and check the /tmp directory on the target VM is mounted with the exec option; other restore will fail.” This is if the restore process uses VIX API.
Hope that helps. Sometimes understanding what permissions are needed where to do restores of any kind are a bit vague. As such, you should also reach out to Veeam Support to verify what is needed and if you can do what you’re specifically wanting to do, which it appears you’re not.
Best
Something I thought of you can try, if you haven’t already done so..whatever user you are using, does this user have full owner and group permissions on the directory tree you may need to do restores to? That might be all that’s needed.
Yes he has all permissions he needs and I can do it, but he also has sudo since it tells me “This user needs to have sudo permissions” and when I elevate that user with root password in veeam in credentials then it works, so I guess this is something we can’t avoid.
tldr: for file level restore in this scenario I guess user needs to have sudo
Yes...I think there’s no way around that per your testing and what the Guide says.
Hey..at the very least, you can go over to the Forums and ping the Veeam PMs on a feature request of being able to do FLR or any kind of restores to Linux using SSH Keys. Worth a shot. And, it may be something that’s already in the works (they can let you know its priority or if they’re already looking into it).
Best
For sure I will!
Thank you
Cheers.
No problem
Anytime!
Comment
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.