File Level Restore user permissions

From the Veeam Agent for Linux User Guide, you need:

• Permissions on the Network Share Repos if you use that:
  https://helpcenter.veeam.com/docs/agentforlinux/userguide/files_restore_before.html?ver=60
• Access Permissions on the VBR Repo if you use that:
  https://helpcenter.veeam.com/docs/agentforlinux/userguide/integrate_permissions.html?ver=60
• I don’t see any other permissions required for the Linux host the Agent is on itself, but you would probably want to add the user as user owner & group owner of the folder area (and sub-folder/files) where you would allow the user to restore to

The best way to do this is, if you can, create a test Linux VM, create a local Veeam restore (service) account, then do test restores. Since the User Guide above doesn’t share what permissions specifically are needed on the Linux host itself, aside from testing, I’d reach out to Veeam Support.

Best.

over VIX protocol is possible to restore only with root - VMware design

over RPC/network - you can use less permission of users

as far as i have experience, each user will see entire image of VM, but restore will no allow you to restore, if you don't have permission

Thank you for answers.
Maybe I was not clear on what I am trying to achieve.
I do not need/want an agent. I have virtual machine that has Linux on it. Veeam is installed on win server.
I am trying to achieve that the Linux user that will be authorizing with ssh keypair and with him I will be connecting on Linux server to do restore with Veeam (that is on Windows), so that this user only can restore that files from specific directory and nothing else, I don’t want to give him sudo, I don’t him to be able to do other things on my system.
Can you help me with this I would appreciate it?

Hi, if you are using ssh key in the job, you don’t need to specify credentials by restore. You will use exactly permission as ssh key has. So directories you will see, even restore you can start, but files will be restored only that, which could be “managed” with this ssh key.

Hi, I am still beginner when it comes to Veeam and the question I will ask might sound dumb.
But, when I try to connect my Linux machine to Veeam, it’s asking me for the user even if I want to use ssh key-pair. I think I am confusing something with something?

in the backup job you have set guest credentials for this VM - Test now is working?

why you are using this ssh key? Do you have pre/post- script?

are you trying to restore form VBR console of from EM? Under which role do you trying to run restore?

why you are using this ssh key?
I am asked to.
Do you have pre/post- script?
No.
are you trying to restore form VBR console of from EM? 
VBR console.
Under which role do you trying to run restore?
Veeam backup administrator.

in the backup job you have set guest credentials for this VM - Test now is working?
I do not see test now.

p.s. I can restore normally, but I would like to limit that one Linux user that I am using to this.

Basically I have to test and create plan for file level restore in my company and I did but there comes a question, I have to limit this linux user since we we don’t want to give sudo access (and apparently for FLR i have?) not sure.

Thank you for your time.

so you don’t use this ssh key in the job?

then is valid, what i wrote above

during restore process, you will specify ssh key - you will be able to see entire server structure, but restorable will be only part, for what has ssh key permission

this is valid if restore is over RPC, as over VIX protocol is root permission only

Yes and yes. The part I specified in Veeam right?
but when I am adding linux server to inventory and when it’s installing transporter and installer it’s asking me for credentials in that step, when I am giving user account name etc. it doesn’t work if I don’t give sudo access to that user this is what I am trying to avoid.

if you are adding linux VM into managed servers - this is as backup components, which requires full permission - there is no other way

i was talking about customer VMs ...

No, no, sorry as I said I am a beginner. It’s probably my fault for not explaining it precise enough.
Since you mentioned full permission, and now you know what is it about, can you tell me what is the best way to do it?
One user and give him sudo, or maybe some kind of limitations?
Thank you

Maybe I can use something like this
sudo visudo
flruser ALL=(ALL) NOPASSWD: /bin/mount, /bin/umount, /sbin/fdisk, /sbin/blkid, /sbin/lvdisplay, /sbin/vgdisplay, /sbin/pvdisplay
but in this case, how to know what does that user needs in order for this to work properly? 

​@curious -

See this section in the VBR User Guide on Linux FLR:
https://helpcenter.veeam.com/docs/backup/vsphere/multios_restore_before_you_begin.html?ver=120

Specifically, scroll down to the following bullet item:

“...you must use a root account for the target VM and check the /tmp directory on the target VM is mounted with the exec option; other restore will fail.” This is if the restore process uses VIX API.

Hope that helps. Sometimes understanding what permissions are needed where to do restores of any kind are a bit vague. As such, you should also reach out to Veeam Support to verify what is needed and if you can do what you’re specifically wanting to do, which it appears you’re not.

Best

Something I thought of you can try, if you haven’t already done so..whatever user you are using, does this user have full owner and group permissions on the directory tree you may need to do restores to? That might be all that’s needed.

Yes he has all permissions he needs and I can do it, but he also has sudo since it tells me “This user needs to have sudo permissions” and when I elevate that user with root password in veeam in credentials then it works, so I guess this is something we can’t avoid.

tldr: for file level restore in this scenario I guess user needs to have sudo

Yes...I think there’s no way around that per your testing and what the Guide says. 

Hey..at the very least, you can go over to the Forums and ping the Veeam PMs on a feature request of being able to do FLR or any kind of restores to Linux using SSH Keys. Worth a shot. And, it may be something that’s already in the works (they can let you know its priority or if they’re already looking into it).

Best

For sure I will!
Thank you ​@Marcel.K  and ​@coolsport00  for your insight.
Cheers.

No problem ​@curious 

Anytime!

Hey, is it possible to restore specific file (FLR) without being root?

yes, over RPC - over network, but not over VIX protocol - due design of hypervisor (like on vmware only root is able to restore over network less restore - injecting over vSphere API)

so if in log you don't see restoring over VIX protocol, then it works with less permission

so for flr appliance, mount server and VBR have to resolve hostname and they have to have connection to guest VM

​@curious -

According to the User Guide, the target/destination needs root (see my comment above). It looks like the source doesn’t need root, but have proper file/folder owner/group permissions with sudo.

Best.

Okay so, so far:

I manage to do some things. now I have trouble while trying to restore using non-root credentials even thought I manage to create backup that I can restore from with normal user account without adding it into wheel or elevating it.
I’ll send screenshot of an error down here, any advices on resolving this (always trying to avoid giving this user any sudo/root rights, or how can I figure out what does he need/which commands I can add them into sudoers?) Thank you

Hi ​@curious -

I provided info what the User Guide says for permissions. Aside from there (and I agree...that area is a bit vague), you can reach out to Support to get specific permissions needed. I still think root is needed..but only Support can confirm (keep in mind, we aren’t support here on the Community Hub).

Best.

Thank you yes, I understand you are not support, I like to challenge myself too :D
Anyway, thank you so much