Granular sudo Permissions for Management of Veeam Agent for Linux Deployments
Veeam Backup & Replication 12.1 New Feature
Starting in Veeam Backup & Replication v12.1, it is now possible to deploy Veeam Agent for Linux using pre-installed Veeam Deployer Service and add that machine to a Protection Group using certificate-based authentication instead of credentials.
Veeam now recommends this new highly secure method of managing Veeam Agent for Linux deployments as a more secure alternative to password-based authentication and granular sudo configuration.
Article Applicability
The granular sudo permissions example provided in this article is intended for use with Protection Groups managing Veeam Agent for Linux deployments.
These granular sudo permissions are NOT for use with any other Linux-related task that Veeam Backup & Replication performs (e.g., Linux Hardened Repository, Linux Proxy, etc).
Purpose
This article provides examples of granular ‘sudo’ configuration for the Linux account that will be used by Veeam Backup & Replication when managing Veeam Agent for Linux deployments with a Protection Group.
Cause
Per the Agent Management User Guide, a user account for Agent Management should have administrative permissions on the computer you want to add to a protection group or a job. If you would like to avoid using the ‘root’ account in favor of a sudoer account, you may also want to set permissions granularly for one. This document helps you to achieve this goal.
Solution
- Linux user account used by Veeam Backup & Replication for any Veeam Agent for Linux deployment and management operations must have /bin/bash shell set by default.
- The account must have either ‘root’ or permissions to execute a specific list of commands as a sudoer on the target Linux machine. (See examples below.)
Distro-specific sudoers Examples
The examples below were developped for specific Linux distros, which will be indicated before each example. Process locations may need to be adjusted if using a different distro.
Veeam Agent for Linux 6.1.x / Veeam Backup & Replication 12.1.x
The example /etc/sudoers below is valid for for RHEL, SLES, Debian, and Ubuntu.
Optional Additional Customization
In the sudoers example below, there are four lines under #DEPLOYMENT INSTALL (lines # 16, 18,20, and 22) that, by default, utilize a wildcard for the package version (e.g., /tmp/veeamdeployment-12.1.*-1.x86_64.rpm). You may optionally choose to update those lines with the precise package file names found on the Veeam Backup Server in:
C:\Program Files\Veeam\Backup and Replication\Backup\Packages
For example, Veeam Backup & Replication 12.1.0.2131 uses deployment packages named:
- veeamdeployment_12.1.0.2131_amd64.deb
- veeamdeployment-12.1.0.2131-1.x86_64.rpm
#MISC
veeamdep ALL=(root) /usr/bin/id -au
veeamdep ALL=(root) /usr/bin/whoami
#MKDIR
veeamdep ALL=(root) /bin/mkdir -p /opt/veeam
#RM
veeamdep ALL=(root) /bin/rmdir /opt/veeam
veeamdep ALL=(root) /bin/rmdir /opt/veeam/Upload
veeamdep ALL=(root) /bin/rm -rf /opt/veeam/deployment/
veeamdep ALL=(root) /usr/bin/rm /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/rm /opt/veeam/ValPackageIndex.xml
#DEPLOYMENT INSTALL
veeamdep ALL=(root) /bin/yum --assumeyes --errorlevel=0 install /tmp/veeamdeployment-12.1.*-1.x86_64.rpm
veeamdep ALL=(root) /bin/yum --assumeyes --errorlevel=0 remove veeamdeployment
veeamdep ALL=(root) /bin/rpm --install /tmp/veeamdeployment-12.1.*-1.x86_64.rpm
veeamdep ALL=(root) /bin/rpm --erase veeamdeployment
veeamdep ALL=(root) /usr/bin/dpkg --force-confold --install /tmp/veeamdeployment_12.1.*_amd64.deb
veeamdep ALL=(root) /usr/bin/dpkg --purge veeamdeployment
veeamdep ALL=(root) /usr/bin/zypper --terse --non-interactive --no-gpg-checks install --auto-agree-with-licenses --force-resolution /tmp/veeamdeployment-12.1.*-1.x86_64.rpm
veeamdep ALL=(root) /usr/bin/zypper --terse --non-interactive --no-gpg-checks remove veeamdeployment
#DEPLOYMENT SERVICE
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --dll-version
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-port
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --uninstall
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-user veeamdep
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --disable-restricted-mode
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-base-log-path /var/log/VeeamBackup
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --restart
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-fingerprint
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install 6160
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install-server-certificate /tmp/VeeamUpload*/ServerCertificate
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install-certificate /tmp/VeeamUpload*/ClientCertificate
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-max-log-size 10485760
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-max-log-count 10
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-bios-uuid
#TRANSPORT
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport --version
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport-link --get-user
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport --disable-restricted-mode
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport-link --set-user root
#VEEAMCONFIG
veeamdep ALL=(root) /usr/bin/veeamconfig vbrcmd print --agentInfo
veeamdep ALL=(root) /usr/bin/veeamconfig --stdinVeeam Agent for Linux 6.0.x / Veeam Backup & Replication 12.0.x
Example /etc/sudoers entries for RHEL and SLES:
#MISC
veeamdep ALL=(root) /usr/bin/arch
veeamdep ALL=(root) /usr/bin/md5sum /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/echo $HOME
veeamdep ALL=(root) /usr/bin/ls /opt/veeam/transport/veeamtransport-link
veeamdep ALL=(root) /usr/bin/ls /opt/veeam/deployment/veeamdeploymentsvc
veeamdep ALL=(root) /usr/bin/ls /opt/veeam/transport/veeamtransport
veeamdep ALL=(root) /bin/tar xvzf /tmp/VeeamDeploymentSvc_12.* -C /opt/veeam/deployment --no-same-owner
veeamdep ALL=(root) /usr/bin/id -au
veeamdep ALL=(root) /usr/bin/whoami
#MKDIR
veeamdep ALL=(root) /bin/mkdir -p /opt/veeam
veeamdep ALL=(root) /bin/mkdir --parents /opt/veeam/Upload/*
veeamdep ALL=(root) /bin/mkdir --parents /opt/veeam/deployment
#CP
veeamdep ALL=(root) /usr/bin/cp -f /home/veeamdep/* /tmp/VeeamDeploymentSvc_12*
veeamdep ALL=(root) /usr/bin/cp -f /home/veeamdep/* /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /usr/bin/cp -f /home/veeamdep/* /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/cp -f /home/veeamdep/* /opt/veeam/Upload/*
#RM
veeamdep ALL=(root) /bin/rmdir /opt/veeam*
veeamdep ALL=(root) /usr/bin/rm -rf /opt/veeam/Upload/*
veeamdep ALL=(root) /bin/rm -rf /opt/veeam/deployment
veeamdep ALL=(root) /usr/bin/rm /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/rm /opt/veeam/Upload/*
veeamdep ALL=(root) /usr/bin/rm /opt/veeam/*
veeamdep ALL=(root) /usr/bin/rm /opt/veeam/deployment/certs/*
veeamdep ALL=(root) /usr/bin/rm /opt/veeam
veeamdep ALL=(root) /usr/bin/rm -f /tmp/VeeamDeploymentSvc_12.*
#TOUCH
veeamdep ALL=(root) /usr/bin/touch /tmp/VeeamDeploymentSvc_12*
veeamdep ALL=(root) /usr/bin/touch /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /usr/bin/touch /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/touch /opt/veeam/Upload/*
#CHGRP
veeamdep ALL=(root) /usr/bin/chgrp root /opt/veeam/veeaminstaller
#CHOWN
veeamdep ALL=(root) /usr/bin/chown * /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/chown root /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/chown -hR root /opt/veeam/deployment
veeamdep ALL=(root) /usr/bin/chown * /opt/veeam/ValPackageIndex.xml
#CHMOD
veeamdep ALL=(root) /usr/bin/chmod 0766 /opt/veeam/Upload/*
veeamdep ALL=(root) /usr/bin/chmod 0750 /home/veeamdep/*
veeamdep ALL=(root) /usr/bin/chmod 0750 /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/chmod 0644 /tmp/VeeamDeploymentSvc_12*
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/Upload
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/PackagesRegistry/VeeamTransport/PackageInfo
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/PackagesRegistry/VeeamTransport
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/PackagesRegistry
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/ca-trusted
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/scripts
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/certs
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/certs/client
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/ca-trusted/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/ca-trusted/DigiCertTrustedRootG4.crt.pem
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/libVeeamDeploymentDll.so
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/scripts/veeamdeployment
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/scripts/veeamdeployment.service
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/VeeamDeploymentConfig
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/certs/client/cert_*.pem
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/certs/cert.p12
veeamdep ALL=(root) /usr/bin/chmod 744 /opt/veeam/deployment/veeamdeploymentsvc
veeamdep ALL=(root) /usr/bin/chmod 0750 /opt/veeam/ValPackageIndex.xml
#FIND
veeamdep ALL=(root) /usr/bin/find /opt/veeam/deployment -type f -not -path /opt/veeam/deployment/veeamdeploymentsvc
veeamdep ALL=(root) /usr/bin/find /opt/veeam/deployment -type d
#DEPLOYMENT SERVICE
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --dll-version
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-port
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --uninstall
#
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-user veeamdep
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --disable-restricted-mode
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-base-log-path /var/log/VeeamBackup
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --restart
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install-server-certificate /opt/veeam/Upload/*
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-fingerprint
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install-certificate /opt/veeam/Upload/*
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install 6160
#INSTALLER
veeamdep ALL=(root) /opt/veeam/veeaminstaller --install-info VAL --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --package-name-pattern-for-file-name --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --check-package-name * --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --install-packages * --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --agent-version --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --driver-version --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --system-info VBR --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --agent-version --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --check-system-support --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --check-package-name VeeamPluginforOracleRMAN --packages-index-xml /opt/veeam/ValPackageIndex.xml
#TRANSPORT
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport --version
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport --get-port
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport-link --version
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport-link --get-user
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport --disable-restricted-mode
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport-link --set-user root
#VEEAMCONFIG
veeamdep ALL=(root) /bin/veeamconfig vbrcmd print --agentInfo
veeamdep ALL=(root) /bin/veeamconfig --stdin acquireAgent *
veeamdep ALL=(root) /bin/veeamconfig --stdin print *
veeamdep ALL=(root) /bin/veeamconfig --stdin setCertificate *
veeamdep ALL=(root) /bin/veeamconfig --stdin
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.