Granular sudo Permissions for Management of Veeam Agent for Linux Deployments
Purpose
This article provides examples of granular ‘sudo’ configuration for Linux user accounts for Agent Management.
Cause
Per the Agent Management User Guide, a user account for Agent Management should have administrative permissions on the computer you want to add to a protection group or a job. If you would like to avoid using the ‘root’ account in favor of a sudoer account, you may also want to set permissions granularly for one. This document helps you to achieve this goal.
Solution
- Linux user account used by Veeam Backup & Replication for any Veeam Agent for Linux deployment and management operations must have /bin/bash shell set by default.
- The account must have either ‘root’ or permissions to execute a specific list of commands as a sudoer on the target Linux machine. (See examples below.)
Distro-specific sudoers Examples
The examples below were developped for specific Linux distros, which will be indicated before each example. Process locations may need to be adjusted if using a different distro.
Veeam Agent for Linux 6.1.x / Veeam Backup & Replication 12.1.x
The example /etc/sudoers below is valid for for RHEL, SLES, Debian, and Ubuntu.
Optional Additional Customization
In the sudoers example below, there are four lines under #DEPLOYMENT INSTALL (lines # 16, 18,20, and 22) that, by default, utilize a wildcard for the package version (e.g., /tmp/veeamdeployment-12.1.0.*-1.x86_64.rpm). You may optionally choose to update those lines with the precise package file names found on the Veeam Backup Server in:
C:\Program Files\Veeam\Backup and Replication\Backup\Packages
For example, Veeam Backup & Replication 12.1.0.2131 uses deployment packages named:
- veeamdeployment_12.1.0.2131_amd64.deb
- veeamdeployment-12.1.0.2131-1.x86_64.rpm
#MISC
veeamdep ALL=(root) /usr/bin/id -au
veeamdep ALL=(root) /usr/bin/whoami
#MKDIR
veeamdep ALL=(root) /bin/mkdir -p /opt/veeam
#RM
veeamdep ALL=(root) /bin/rmdir /opt/veeam
veeamdep ALL=(root) /bin/rmdir /opt/veeam/Upload
veeamdep ALL=(root) /bin/rm -rf /opt/veeam/deployment/
veeamdep ALL=(root) /usr/bin/rm /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/rm /opt/veeam/ValPackageIndex.xml
#DEPLOYMENT INSTALL
veeamdep ALL=(root) /bin/yum --assumeyes --errorlevel=0 install /tmp/veeamdeployment-12.1.0.*-1.x86_64.rpm
veeamdep ALL=(root) /bin/yum --assumeyes --errorlevel=0 remove veeamdeployment
veeamdep ALL=(root) /bin/rpm --install /tmp/veeamdeployment-12.1.0.*-1.x86_64.rpm
veeamdep ALL=(root) /bin/rpm --erase veeamdeployment
veeamdep ALL=(root) /usr/bin/dpkg --force-confold --install /tmp/veeamdeployment_12.1.0.*_amd64.deb
veeamdep ALL=(root) /usr/bin/dpkg --purge veeamdeployment
veeamdep ALL=(root) /usr/bin/zypper --terse --non-interactive --no-gpg-checks install --auto-agree-with-licenses --force-resolution /tmp/veeamdeployment-12.1.0.*-1.x86_64.rpm
veeamdep ALL=(root) /usr/bin/zypper --terse --non-interactive --no-gpg-checks remove veeamdeployment
#DEPLOYMENT SERVICE
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --dll-version
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-port
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --uninstall
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-user veeamdep
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --disable-restricted-mode
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-base-log-path /var/log/VeeamBackup
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --restart
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-fingerprint
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install 6160
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install-server-certificate /tmp/VeeamUpload*/ServerCertificate
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install-certificate /tmp/VeeamUpload*/ClientCertificate
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-max-log-size 10485760
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-max-log-count 10
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-bios-uuid
#TRANSPORT
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport --version
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport-link --get-user
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport --disable-restricted-mode
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport-link --set-user root
#VEEAMCONFIG
veeamdep ALL=(root) /usr/bin/veeamconfig vbrcmd print --agentInfo
veeamdep ALL=(root) /usr/bin/veeamconfig --stdinVeeam Agent for Linux 6.0.x / Veeam Backup & Replication 12.0.x
Example /etc/sudoers entries for RHEL and SLES:
#MISC
veeamdep ALL=(root) /usr/bin/arch
veeamdep ALL=(root) /usr/bin/md5sum /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/echo $HOME
veeamdep ALL=(root) /usr/bin/ls /opt/veeam/transport/veeamtransport-link
veeamdep ALL=(root) /usr/bin/ls /opt/veeam/deployment/veeamdeploymentsvc
veeamdep ALL=(root) /usr/bin/ls /opt/veeam/transport/veeamtransport
veeamdep ALL=(root) /bin/tar xvzf /tmp/VeeamDeploymentSvc_12.* -C /opt/veeam/deployment --no-same-owner
veeamdep ALL=(root) /usr/bin/id -au
veeamdep ALL=(root) /usr/bin/whoami
#MKDIR
veeamdep ALL=(root) /bin/mkdir -p /opt/veeam
veeamdep ALL=(root) /bin/mkdir --parents /opt/veeam/Upload/*
veeamdep ALL=(root) /bin/mkdir --parents /opt/veeam/deployment
#CP
veeamdep ALL=(root) /usr/bin/cp -f /home/veeamdep/* /tmp/VeeamDeploymentSvc_12*
veeamdep ALL=(root) /usr/bin/cp -f /home/veeamdep/* /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /usr/bin/cp -f /home/veeamdep/* /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/cp -f /home/veeamdep/* /opt/veeam/Upload/*
#RM
veeamdep ALL=(root) /bin/rmdir /opt/veeam*
veeamdep ALL=(root) /usr/bin/rm -rf /opt/veeam/Upload/*
veeamdep ALL=(root) /bin/rm -rf /opt/veeam/deployment
veeamdep ALL=(root) /usr/bin/rm /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/rm /opt/veeam/Upload/*
veeamdep ALL=(root) /usr/bin/rm /opt/veeam/*
veeamdep ALL=(root) /usr/bin/rm /opt/veeam/deployment/certs/*
veeamdep ALL=(root) /usr/bin/rm /opt/veeam
veeamdep ALL=(root) /usr/bin/rm -f /tmp/VeeamDeploymentSvc_12.*
#TOUCH
veeamdep ALL=(root) /usr/bin/touch /tmp/VeeamDeploymentSvc_12*
veeamdep ALL=(root) /usr/bin/touch /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /usr/bin/touch /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/touch /opt/veeam/Upload/*
#CHGRP
veeamdep ALL=(root) /usr/bin/chgrp root /opt/veeam/veeaminstaller
#CHOWN
veeamdep ALL=(root) /usr/bin/chown * /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/chown root /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/chown -hR root /opt/veeam/deployment
veeamdep ALL=(root) /usr/bin/chown * /opt/veeam/ValPackageIndex.xml
#CHMOD
veeamdep ALL=(root) /usr/bin/chmod 0766 /opt/veeam/Upload/*
veeamdep ALL=(root) /usr/bin/chmod 0750 /home/veeamdep/*
veeamdep ALL=(root) /usr/bin/chmod 0750 /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/chmod 0644 /tmp/VeeamDeploymentSvc_12*
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/Upload
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/PackagesRegistry/VeeamTransport/PackageInfo
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/PackagesRegistry/VeeamTransport
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/PackagesRegistry
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/ca-trusted
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/scripts
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/certs
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/certs/client
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/ca-trusted/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/ca-trusted/DigiCertTrustedRootG4.crt.pem
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/libVeeamDeploymentDll.so
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/scripts/veeamdeployment
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/scripts/veeamdeployment.service
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/VeeamDeploymentConfig
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/certs/client/cert_*.pem
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/certs/cert.p12
veeamdep ALL=(root) /usr/bin/chmod 744 /opt/veeam/deployment/veeamdeploymentsvc
veeamdep ALL=(root) /usr/bin/chmod 0750 /opt/veeam/ValPackageIndex.xml
#FIND
veeamdep ALL=(root) /usr/bin/find /opt/veeam/deployment -type f -not -path /opt/veeam/deployment/veeamdeploymentsvc
veeamdep ALL=(root) /usr/bin/find /opt/veeam/deployment -type d
#DEPLOYMENT SERVICE
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --dll-version
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-port
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --uninstall
#
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-user veeamdep
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --disable-restricted-mode
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-base-log-path /var/log/VeeamBackup
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --restart
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install-server-certificate /opt/veeam/Upload/*
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-fingerprint
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install-certificate /opt/veeam/Upload/*
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install 6160
#INSTALLER
veeamdep ALL=(root) /opt/veeam/veeaminstaller --install-info VAL --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --package-name-pattern-for-file-name --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --check-package-name * --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --install-packages * --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --agent-version --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --driver-version --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --system-info VBR --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --agent-version --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --check-system-support --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --check-package-name VeeamPluginforOracleRMAN --packages-index-xml /opt/veeam/ValPackageIndex.xml
#TRANSPORT
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport --version
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport --get-port
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport-link --version
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport-link --get-user
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport --disable-restricted-mode
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport-link --set-user root
#VEEAMCONFIG
veeamdep ALL=(root) /bin/veeamconfig vbrcmd print --agentInfo
veeamdep ALL=(root) /bin/veeamconfig --stdin acquireAgent *
veeamdep ALL=(root) /bin/veeamconfig --stdin print *
veeamdep ALL=(root) /bin/veeamconfig --stdin setCertificate *
veeamdep ALL=(root) /bin/veeamconfig --stdinVeeam Agent for Linux 5.x / Veeam Backup & Replication 11a
Example /etc/sudoers entries for SLES 11 SP4:
## Basic
Defaults:username !targetpw
username ALL=(root) /bin/chmod
username ALL=(root) /bin/chown
username ALL=(root) /bin/cp
username ALL=(root) /bin/mkdir
username ALL=(root) /bin/mv
username ALL=(root) /bin/rm
username ALL=(root) /opt/veeam/veeaminstaller
username ALL=(root) /usr/bin/id
username ALL=(root) /usr/bin/scp -p -t /opt/veeam/ValPackageIndex.xml
username ALL=(root) /usr/bin/scp -p -t /opt/veeam/veeaminstaller
username ALL=(root) /usr/bin/scp -p -t /tmp/*
username ALL=(root) /usr/bin/veeamconfig
username ALL=(root) /usr/bin/whoami
## FLR via console
username ALL=(root) /bin/mount
username ALL=(root) /bin/ping
username ALL=(root) /bin/ps
username ALL=(root) /bin/tar
username ALL=(root) /bin/uname
username ALL=(root) /tmp/*-*-*-*-*_vblkid
username ALL=(root) /tmp/VeeamAgent*-*-*-*-*
username ALL=(root) /usr/bin/test -e /tmp/
username ALL=(root) /usr/bin/gzipExample /etc/sudoers entries for SLES 12 SP4
## Basic
Defaults:username !targetpw
username ALL=(root) /opt/veeam/veeaminstaller
username ALL=(root) /usr/bin/chmod
username ALL=(root) /usr/bin/chown
username ALL=(root) /usr/bin/cp
username ALL=(root) /usr/bin/id
username ALL=(root) /usr/bin/mkdir
username ALL=(root) /usr/bin/mv
username ALL=(root) /usr/bin/rm
username ALL=(root) /usr/bin/touch
username ALL=(root) /usr/bin/uname
username ALL=(root) /usr/bin/veeamconfig
username ALL=(root) /usr/bin/whoami
## FLR via console
username ALL=(root) /bin/tar
username ALL=(root) /tmp/*-*-*-*-*_vblkid
username ALL=(root) /tmp/VeeamAgent*-*-*-*-*
username ALL=(root) /usr/bin/test -e /tmp/
username ALL=(root) /usr/bin/gzip
username ALL=(root) /usr/bin/mount
username ALL=(root) /usr/bin/ping
username ALL=(root) /usr/bin/psVeeam Agent for Linux 5.x / Veeam Backup & Replication 11
Example /etc/sudoers entries for SLES 11 SP4:
## Basic
Defaults:username !targetpw
username ALL=(root) /bin/chmod
username ALL=(root) /bin/chown
username ALL=(root) /bin/cp
username ALL=(root) /bin/mkdir
username ALL=(root) /bin/mv
username ALL=(root) /bin/rm
username ALL=(root) /opt/veeam/veeaminstaller
username ALL=(root) /usr/bin/id
username ALL=(root) /usr/bin/scp -p -t /opt/veeam/ValPackageIndex.xml
username ALL=(root) /usr/bin/scp -p -t /opt/veeam/veeaminstaller
username ALL=(root) /usr/bin/scp -p -t /tmp/*
username ALL=(root) /usr/bin/veeamconfig
username ALL=(root) /usr/bin/whoami
## FLR via console
username ALL=(root) /bin/mount
username ALL=(root) /bin/ping
username ALL=(root) /bin/ps
username ALL=(root) /bin/tar
username ALL=(root) /bin/uname
username ALL=(root) /tmp/*-*-*-*-*_vblkid
username ALL=(root) /tmp/VeeamAgent*-*-*-*-*
username ALL=(root) /usr/bin/[ -d /tmp/ ]
username ALL=(root) /usr/bin/gzipExample /etc/sudoers entries for SLES 12 SP4
## Basic
Defaults:username !targetpw
username ALL=(root) /opt/veeam/veeaminstaller
username ALL=(root) /usr/bin/chmod
username ALL=(root) /usr/bin/chown
username ALL=(root) /usr/bin/cp
username ALL=(root) /usr/bin/id
username ALL=(root) /usr/bin/mkdir
username ALL=(root) /usr/bin/mv
username ALL=(root) /usr/bin/rm
username ALL=(root) /usr/bin/touch
username ALL=(root) /usr/bin/uname
username ALL=(root) /usr/bin/veeamconfig
username ALL=(root) /usr/bin/whoami
## FLR via console
username ALL=(root) /bin/tar
username ALL=(root) /tmp/*-*-*-*-*_vblkid
username ALL=(root) /tmp/VeeamAgent*-*-*-*-*
username ALL=(root) /usr/bin/[ -d /tmp/ ]
username ALL=(root) /usr/bin/gzip
username ALL=(root) /usr/bin/mount
username ALL=(root) /usr/bin/ping
username ALL=(root) /usr/bin/ps
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.