Granular sudo Permissions Required for Hardened Repository

KB ID:	4667
Product:	Veeam Backup & Replication \| 12.2
Published:	2024-09-26
Last Modified:	2024-09-26

Purpose

This article documents the granular sudo permissions required to allow Veeam Backup & Replication to deploy and manage a Hardened Repository.

Solution

Account Requirements

The Linux user account used by Veeam Backup & Replication to deploy and manage the Hardened Repository must use the bash shell.
The Linux account used for a Hardened Repository must be a non-root account with root-equivalent permissions (sudo). Some administrators may prefer to restrict the account used by Veeam Backup & Replication to only be able to execute specific commands using sudo on the target Linux machine. (See example below.)

Granular Sudoer Drop-In Example

The example sudoers drop-in file below is compatible with all supported Linux distributions.

The example provided includes entries for the package managers of all supported Linux distributions. To further restrict sudoer permissions comment out or remove the lines for package managers not in use by the Linux distribution in use by the Hardened Repository.

Debian/Ubuntu — Remove lines 17-23.
SLES/openSUSE — Remove lines 17-21 and 24-25.
RHEL/AlmaLinux/Rocky Linux/Oracle Linux — Remove lines 22-25.

Example /etc/sudoers.d/veeamsvc file:

#MISC
veeamsvc ALL=(ALL) /bin/whoami
veeamsvc ALL=(ALL) /bin/uname
veeamsvc ALL=(ALL) /bin/ls
veeamsvc ALL=(ALL) /bin/test

#CHECK DISTRO
veeamsvc ALL=(ALL) /bin/find /opt/veeam/deployment -type d
veeamsvc ALL=(ALL) /bin/find /opt/veeam/deployment -type f -not -path /opt/veeam/deployment/veeamdeploymentsvc

#Services
veeamsvc ALL=(ALL) /opt/veeam/deployment/veeamdeploymentsvc
veeamsvc ALL=(ALL) /opt/veeam/transport/veeamtransport
veeamsvc ALL=(ALL) /opt/veeam/transport/veeamtransport-link

#Package Management
veeamsvc ALL=(ALL) /bin/rpm --import /tmp/*
veeamsvc ALL=(ALL) /bin/rpm --install /tmp/veeamdeployment*
veeamsvc ALL=(ALL) /bin/rpm --erase veeamdeployment
veeamsvc ALL=(ALL) /bin/yum --assumeyes --errorlevel=0 install /tmp/*
veeamsvc ALL=(ALL) /bin/yum --assumeyes --errorlevel=0 remove veeamdeployment
veeamsvc ALL=(ALL) /usr/bin/zypper --terse --non-interactive --no-gpg-checks install --auto-agree-with-licenses --force-resolution /tmp/veeamdeployment*
veeamsvc ALL=(ALL) /usr/bin/zypper --terse --non-interactive --no-gpg-checks remove veeamdeployment
veeamsvc ALL=(ALL) /usr/bin/dpkg --force-confold --install /tmp/*
veeamsvc ALL=(ALL) /usr/bin/dpkg --purge veeamdeployment

#Assign Permissions
veeamsvc ALL=(ALL) /bin/chown -hR root /opt/veeam/deployment
veeamsvc ALL=(ALL) /bin/chmod 755 /opt/veeam/
veeamsvc ALL=(ALL) /bin/chmod 755 /opt/veeam/deployment
veeamsvc ALL=(ALL) /bin/chmod 755 /opt/veeam/deployment/ca-trusted
veeamsvc ALL=(ALL) /bin/chmod 755 /opt/veeam/deployment/scripts
veeamsvc ALL=(ALL) /bin/chmod 644 /opt/veeam/deployment/ca-trusted/*
veeamsvc ALL=(ALL) /bin/chmod 644 /opt/veeam/deployment/libVeeamDeploymentDll.so
veeamsvc ALL=(ALL) /bin/chmod 644 /opt/veeam/deployment/scripts/veeamdeployment
veeamsvc ALL=(ALL) /bin/chmod 644 /opt/veeam/deployment/scripts/veeamdeployment.service
veeamsvc ALL=(ALL) /bin/chmod 644 /opt/veeam/deployment/VeeamDeploymentConfig
veeamsvc ALL=(ALL) /bin/chmod 744 /opt/veeam/deployment/veeamdeploymentsvc

#RM
veeamsvc ALL=(ALL) /bin/rm -rf /opt/veeam/deployment
veeamsvc ALL=(ALL) /bin/rm /etc/veeam/immureposvc/timeLog
veeamsvc ALL=(ALL) /bin/rm /etc/veeam/immureposvc/retainLock
veeamsvc ALL=(ALL) /bin/rm /etc/veeam/immureposvc/config
veeamsvc ALL=(ALL) /bin/rmdir /etc/veeam/immureposvc

#Set Immutablility
veeamsvc ALL=(ALL) /bin/chattr -i /etc/veeam/immureposvc/timeLog
veeamsvc ALL=(ALL) /bin/chattr -i /etc/veeam/immureposvc/retainLock
veeamsvc ALL=(ALL) /bin/chattr -i /etc/veeam/immureposvc/config

#Process Management
veeamsvc ALL=(ALL) /usr/bin/fuser /var/lib/dpkg/lock-frontend
veeamsvc ALL=(ALL) /usr/bin/fuser /var/lib/dpkg/lock
                     
                    

More Information

The following command can be used to validate the sudoers drop-in file:

sudo visudo -cf /etc/sudoers.d/veeamsvc

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Granular sudo Permissions Required for Hardened Repository

Granular sudo Permissions Required for Hardened Repository

Purpose

Solution

Account Requirements

Granular Sudoer Drop-In Example

More Information

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

Ominde Commission Report and Recommendations – Ominde Report of 1964

Bureau of Internal Revenue: Regional Offices (Directory)

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

Mp3 Download: Mdu - Kunjenjenjena

How the kill the job , when DTP request running for long hours.

Microsoft Intune から展開しているアプリのアップデートについて

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

Car crash in Dunton Bassett leaves driver in critical condition

Macky 2, Two Others In Road Accident

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

Detroit mafia: D’Anna Brothers agree to plea deal

Delivery block field greyed out using VA02

Muloraki Au

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出ｗ【リベンジポルノ】＠PornHub

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

FIAT 500 B0111 B0112