#1 Global Leader in Data Resilience

Granular sudo Permissions for Management of Veeam Agent for Linux Deployments

KB ID: 2676
Product: Veeam Backup & Replication | 12 | 12.1 | 12.2
Veeam Agent for Linux | 6.0 | 6.1 | 6.2
Published: 2018-07-02
Last Modified: 2024-08-26
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Article Applicability

The granular sudo permissions example provided in this article is intended for use with Protection Groups managing Veeam Agent for Linux deployments.

These granular sudo permissions are NOT for use with any other Linux-related task that Veeam Backup & Replication performs (e.g., Linux Hardened Repository, Linux Proxy, etc).

Purpose

This article provides examples of granular ‘sudo’ configuration for the Linux account that will be used by Veeam Backup & Replication when managing Veeam Agent for Linux deployments with a Protection Group.

Cause

Per the Agent Management User Guide, a user account for Agent Management should have administrative permissions on the computer you want to add to a protection group or a job. If you would like to avoid using the ‘root’ account in favor of a sudoer account, you may also want to set permissions granularly for one. This document helps you to achieve this goal.

Solution

  • Linux user account used by Veeam Backup & Replication for any Veeam Agent for Linux deployment and management operations must have /bin/bash shell set by default.
  • The account must have either ‘root’ or permissions to execute a specific list of commands as a sudoer on the target Linux machine. (See examples below.)
Distro-specific sudoers Examples
The examples below were developped for specific Linux distros, which will be indicated before each example. Process locations may need to be adjusted if using a different distro.
Veeam Agent for Linux 6.1.x / Veeam Backup & Replication 12.1.x
The example /etc/sudoers below is valid for for RHEL, SLES, Debian, and Ubuntu.
Optional Additional Customization

In the sudoers example below, there are four lines under #DEPLOYMENT INSTALL (lines # 16, 18,20, and 22) that, by default, utilize a wildcard for the package version (e.g., /tmp/veeamdeployment-12.1.*-1.x86_64.rpm). You may optionally choose to update those lines with the precise package file names found on the Veeam Backup Server in:

C:\Program Files\Veeam\Backup and Replication\Backup\Packages

For example, Veeam Backup & Replication 12.1.0.2131 uses deployment packages named:

  • veeamdeployment_12.1.0.2131_amd64.deb
  • veeamdeployment-12.1.0.2131-1.x86_64.rpm
#MISC 
veeamdep ALL=(root) /usr/bin/id -au
veeamdep ALL=(root) /usr/bin/whoami

#MKDIR
veeamdep ALL=(root) /bin/mkdir -p /opt/veeam

#RM
veeamdep ALL=(root) /bin/rmdir /opt/veeam
veeamdep ALL=(root) /bin/rmdir /opt/veeam/Upload
veeamdep ALL=(root) /bin/rm -rf /opt/veeam/deployment/
veeamdep ALL=(root) /usr/bin/rm /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/rm /opt/veeam/ValPackageIndex.xml

#DEPLOYMENT INSTALL
veeamdep ALL=(root) /bin/yum --assumeyes --errorlevel=0 install /tmp/veeamdeployment-12.1.*-1.x86_64.rpm
veeamdep ALL=(root) /bin/yum --assumeyes --errorlevel=0 remove veeamdeployment
veeamdep ALL=(root) /bin/rpm --install /tmp/veeamdeployment-12.1.*-1.x86_64.rpm
veeamdep ALL=(root) /bin/rpm --erase veeamdeployment
veeamdep ALL=(root) /usr/bin/dpkg --force-confold --install /tmp/veeamdeployment_12.1.*_amd64.deb
veeamdep ALL=(root) /usr/bin/dpkg --purge veeamdeployment
veeamdep ALL=(root) /usr/bin/zypper --terse --non-interactive --no-gpg-checks install --auto-agree-with-licenses --force-resolution /tmp/veeamdeployment-12.1.*-1.x86_64.rpm
veeamdep ALL=(root) /usr/bin/zypper --terse --non-interactive --no-gpg-checks remove veeamdeployment

#DEPLOYMENT SERVICE
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --dll-version
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-port
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --uninstall
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-user veeamdep
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --disable-restricted-mode
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-base-log-path /var/log/VeeamBackup
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --restart
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-fingerprint
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install 6160
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install-server-certificate /tmp/VeeamUpload*/ServerCertificate
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install-certificate /tmp/VeeamUpload*/ClientCertificate
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-max-log-size 10485760
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-max-log-count 10
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-bios-uuid

#TRANSPORT
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport --version
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport-link --get-user
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport --disable-restricted-mode
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport-link --set-user root

#VEEAMCONFIG
veeamdep ALL=(root) /usr/bin/veeamconfig vbrcmd print --agentInfo
veeamdep ALL=(root) /usr/bin/veeamconfig --stdin
Veeam Agent for Linux 6.0.x / Veeam Backup & Replication 12.0.x
Example /etc/sudoers entries for RHEL and SLES:
#MISC
veeamdep ALL=(root) /usr/bin/arch
veeamdep ALL=(root) /usr/bin/md5sum /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/echo $HOME
veeamdep ALL=(root) /usr/bin/ls /opt/veeam/transport/veeamtransport-link
veeamdep ALL=(root) /usr/bin/ls /opt/veeam/deployment/veeamdeploymentsvc
veeamdep ALL=(root) /usr/bin/ls /opt/veeam/transport/veeamtransport
veeamdep ALL=(root) /bin/tar xvzf /tmp/VeeamDeploymentSvc_12.* -C /opt/veeam/deployment --no-same-owner
veeamdep ALL=(root) /usr/bin/id -au
veeamdep ALL=(root) /usr/bin/whoami

#MKDIR
veeamdep ALL=(root) /bin/mkdir -p /opt/veeam
veeamdep ALL=(root) /bin/mkdir --parents /opt/veeam/Upload/*
veeamdep ALL=(root) /bin/mkdir --parents /opt/veeam/deployment

#CP
veeamdep ALL=(root) /usr/bin/cp -f /home/veeamdep/* /tmp/VeeamDeploymentSvc_12*
veeamdep ALL=(root) /usr/bin/cp -f /home/veeamdep/* /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /usr/bin/cp -f /home/veeamdep/* /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/cp -f /home/veeamdep/* /opt/veeam/Upload/*

#RM
veeamdep ALL=(root) /bin/rmdir /opt/veeam*
veeamdep ALL=(root) /usr/bin/rm -rf /opt/veeam/Upload/*
veeamdep ALL=(root) /bin/rm -rf /opt/veeam/deployment
veeamdep ALL=(root) /usr/bin/rm /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/rm /opt/veeam/Upload/*
veeamdep ALL=(root) /usr/bin/rm /opt/veeam/*
veeamdep ALL=(root) /usr/bin/rm /opt/veeam/deployment/certs/*
veeamdep ALL=(root) /usr/bin/rm /opt/veeam
veeamdep ALL=(root) /usr/bin/rm -f /tmp/VeeamDeploymentSvc_12.*

#TOUCH
veeamdep ALL=(root) /usr/bin/touch /tmp/VeeamDeploymentSvc_12*
veeamdep ALL=(root) /usr/bin/touch /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /usr/bin/touch /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/touch /opt/veeam/Upload/*

#CHGRP
veeamdep ALL=(root) /usr/bin/chgrp root /opt/veeam/veeaminstaller

#CHOWN
veeamdep ALL=(root) /usr/bin/chown * /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/chown root /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/chown -hR root /opt/veeam/deployment
veeamdep ALL=(root) /usr/bin/chown * /opt/veeam/ValPackageIndex.xml

#CHMOD
veeamdep ALL=(root) /usr/bin/chmod 0766 /opt/veeam/Upload/*
veeamdep ALL=(root) /usr/bin/chmod 0750 /home/veeamdep/*
veeamdep ALL=(root) /usr/bin/chmod 0750 /opt/veeam/veeaminstaller
veeamdep ALL=(root) /usr/bin/chmod 0644 /tmp/VeeamDeploymentSvc_12*
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/Upload
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/PackagesRegistry/VeeamTransport/PackageInfo
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/PackagesRegistry/VeeamTransport
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/PackagesRegistry
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/ca-trusted
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/scripts
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/certs
veeamdep ALL=(root) /usr/bin/chmod 755 /opt/veeam/deployment/certs/client
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/ca-trusted/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/ca-trusted/DigiCertTrustedRootG4.crt.pem
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/libVeeamDeploymentDll.so
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/scripts/veeamdeployment
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/scripts/veeamdeployment.service
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/VeeamDeploymentConfig
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/certs/client/cert_*.pem
veeamdep ALL=(root) /usr/bin/chmod 644 /opt/veeam/deployment/certs/cert.p12
veeamdep ALL=(root) /usr/bin/chmod 744 /opt/veeam/deployment/veeamdeploymentsvc
veeamdep ALL=(root) /usr/bin/chmod 0750 /opt/veeam/ValPackageIndex.xml

#FIND
veeamdep ALL=(root) /usr/bin/find /opt/veeam/deployment -type f -not -path /opt/veeam/deployment/veeamdeploymentsvc
veeamdep ALL=(root) /usr/bin/find /opt/veeam/deployment -type d

#DEPLOYMENT SERVICE
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --dll-version
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-port
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --uninstall
#
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-user veeamdep
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --disable-restricted-mode
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-base-log-path /var/log/VeeamBackup
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --restart
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install-server-certificate /opt/veeam/Upload/*
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-fingerprint
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install-certificate /opt/veeam/Upload/*
veeamdep ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install 6160

#INSTALLER
veeamdep ALL=(root) /opt/veeam/veeaminstaller --install-info VAL --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --package-name-pattern-for-file-name --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --check-package-name * --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --install-packages * --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --agent-version --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --driver-version --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --system-info VBR --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --agent-version --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --check-system-support --packages-index-xml /opt/veeam/ValPackageIndex.xml
veeamdep ALL=(root) /opt/veeam/veeaminstaller --check-package-name VeeamPluginforOracleRMAN --packages-index-xml /opt/veeam/ValPackageIndex.xml

#TRANSPORT
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport --version
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport --get-port
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport-link --version
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport-link --get-user
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport --disable-restricted-mode
veeamdep ALL=(root) /opt/veeam/transport/veeamtransport-link --set-user root

#VEEAMCONFIG
veeamdep ALL=(root) /bin/veeamconfig vbrcmd print --agentInfo
veeamdep ALL=(root) /bin/veeamconfig --stdin acquireAgent *
veeamdep ALL=(root) /bin/veeamconfig --stdin print *
veeamdep ALL=(root) /bin/veeamconfig --stdin setCertificate *
veeamdep ALL=(root) /bin/veeamconfig --stdin
Veeam Agent for Linux 5.0.1.x / Veeam Backup & Replication 11.0.1.x
Example /etc/sudoers entries for SLES 11 SP4:
## Basic

Defaults:username !targetpw

username ALL=(root) /bin/chmod
username ALL=(root) /bin/chown
username ALL=(root) /bin/cp
username ALL=(root) /bin/mkdir
username ALL=(root) /bin/mv
username ALL=(root) /bin/rm
username ALL=(root) /opt/veeam/veeaminstaller
username ALL=(root) /usr/bin/id
username ALL=(root) /usr/bin/scp -p -t /opt/veeam/ValPackageIndex.xml
username ALL=(root) /usr/bin/scp -p -t /opt/veeam/veeaminstaller
username ALL=(root) /usr/bin/scp -p -t /tmp/*
username ALL=(root) /usr/bin/veeamconfig
username ALL=(root) /usr/bin/whoami

## FLR via console

username ALL=(root) /bin/mount
username ALL=(root) /bin/ping
username ALL=(root) /bin/ps
username ALL=(root) /bin/tar
username ALL=(root) /bin/uname
username ALL=(root) /tmp/*-*-*-*-*_vblkid
username ALL=(root) /tmp/VeeamAgent*-*-*-*-*
username ALL=(root) /usr/bin/test -e /tmp/
username ALL=(root) /usr/bin/gzip
Example /etc/sudoers entries for SLES 12 SP4
## Basic

Defaults:username !targetpw

username ALL=(root) /opt/veeam/veeaminstaller
username ALL=(root) /usr/bin/chmod
username ALL=(root) /usr/bin/chown
username ALL=(root) /usr/bin/cp
username ALL=(root) /usr/bin/id
username ALL=(root) /usr/bin/mkdir
username ALL=(root) /usr/bin/mv
username ALL=(root) /usr/bin/rm
username ALL=(root) /usr/bin/touch
username ALL=(root) /usr/bin/uname
username ALL=(root) /usr/bin/veeamconfig
username ALL=(root) /usr/bin/whoami

## FLR via console

username ALL=(root) /bin/tar
username ALL=(root) /tmp/*-*-*-*-*_vblkid
username ALL=(root) /tmp/VeeamAgent*-*-*-*-*
username ALL=(root) /usr/bin/test -e /tmp/
username ALL=(root) /usr/bin/gzip
username ALL=(root) /usr/bin/mount
username ALL=(root) /usr/bin/ping
username ALL=(root) /usr/bin/ps
Veeam Agent for Linux 5.0.0.x / Veeam Backup & Replication 11.0.0.x
Example /etc/sudoers entries for SLES 11 SP4:
## Basic

Defaults:username !targetpw

username ALL=(root) /bin/chmod
username ALL=(root) /bin/chown
username ALL=(root) /bin/cp
username ALL=(root) /bin/mkdir
username ALL=(root) /bin/mv
username ALL=(root) /bin/rm
username ALL=(root) /opt/veeam/veeaminstaller
username ALL=(root) /usr/bin/id
username ALL=(root) /usr/bin/scp -p -t /opt/veeam/ValPackageIndex.xml
username ALL=(root) /usr/bin/scp -p -t /opt/veeam/veeaminstaller
username ALL=(root) /usr/bin/scp -p -t /tmp/*
username ALL=(root) /usr/bin/veeamconfig
username ALL=(root) /usr/bin/whoami

## FLR via console

username ALL=(root) /bin/mount
username ALL=(root) /bin/ping
username ALL=(root) /bin/ps
username ALL=(root) /bin/tar
username ALL=(root) /bin/uname
username ALL=(root) /tmp/*-*-*-*-*_vblkid
username ALL=(root) /tmp/VeeamAgent*-*-*-*-*
username ALL=(root) /usr/bin/[ -d /tmp/ ]
username ALL=(root) /usr/bin/gzip
Example /etc/sudoers entries for SLES 12 SP4
## Basic

Defaults:username !targetpw

username ALL=(root) /opt/veeam/veeaminstaller
username ALL=(root) /usr/bin/chmod
username ALL=(root) /usr/bin/chown
username ALL=(root) /usr/bin/cp
username ALL=(root) /usr/bin/id
username ALL=(root) /usr/bin/mkdir
username ALL=(root) /usr/bin/mv
username ALL=(root) /usr/bin/rm
username ALL=(root) /usr/bin/touch
username ALL=(root) /usr/bin/uname
username ALL=(root) /usr/bin/veeamconfig
username ALL=(root) /usr/bin/whoami

## FLR via console

username ALL=(root) /bin/tar
username ALL=(root) /tmp/*-*-*-*-*_vblkid
username ALL=(root) /tmp/VeeamAgent*-*-*-*-*
username ALL=(root) /usr/bin/[ -d /tmp/ ]
username ALL=(root) /usr/bin/gzip
username ALL=(root) /usr/bin/mount
username ALL=(root) /usr/bin/ping
username ALL=(root) /usr/bin/ps
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.