#1 Global Leader in Data Resilience

Granular sudo Permissions Required for Hardened Repository

KB ID: 4667
Product: Veeam Backup & Replication | 12.2
Published: 2024-09-26
Last Modified: 2024-09-26
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Purpose

This article documents the granular sudo permissions required to allow Veeam Backup & Replication to deploy and manage a Hardened Repository.

Solution

Account Requirements

  • The Linux user account used by Veeam Backup & Replication to deploy and manage the Hardened Repository must use the bash shell.
  • The Linux account used for a Hardened Repository must be a non-root account with root-equivalent permissions (sudo). Some administrators may prefer to restrict the account used by Veeam Backup & Replication to only be able to execute specific commands using sudo on the target Linux machine. (See example below.)

Granular Sudoer Drop-In Example

The example sudoers drop-in file below is compatible with all supported Linux distributions.

The example provided includes entries for the package managers of all supported Linux distributions. To further restrict sudoer permissions comment out or remove the lines for package managers not in use by the Linux distribution in use by the Hardened Repository.

  • Debian/Ubuntu — Remove lines 17-23.
  • SLES/openSUSE — Remove lines 17-21 and 24-25.
  • RHEL/AlmaLinux/Rocky Linux/Oracle Linux — Remove lines 22-25.
Example /etc/sudoers.d/veeamsvc file:
#MISC
veeamsvc ALL=(ALL) /bin/whoami
veeamsvc ALL=(ALL) /bin/uname
veeamsvc ALL=(ALL) /bin/ls
veeamsvc ALL=(ALL) /bin/test

#CHECK DISTRO
veeamsvc ALL=(ALL) /bin/find /opt/veeam/deployment -type d
veeamsvc ALL=(ALL) /bin/find /opt/veeam/deployment -type f -not -path /opt/veeam/deployment/veeamdeploymentsvc

#Services
veeamsvc ALL=(ALL) /opt/veeam/deployment/veeamdeploymentsvc
veeamsvc ALL=(ALL) /opt/veeam/transport/veeamtransport
veeamsvc ALL=(ALL) /opt/veeam/transport/veeamtransport-link

#Package Management
veeamsvc ALL=(ALL) /bin/rpm --import /tmp/*
veeamsvc ALL=(ALL) /bin/rpm --install /tmp/veeamdeployment*
veeamsvc ALL=(ALL) /bin/rpm --erase veeamdeployment
veeamsvc ALL=(ALL) /bin/yum --assumeyes --errorlevel=0 install /tmp/*
veeamsvc ALL=(ALL) /bin/yum --assumeyes --errorlevel=0 remove veeamdeployment
veeamsvc ALL=(ALL) /usr/bin/zypper --terse --non-interactive --no-gpg-checks install --auto-agree-with-licenses --force-resolution /tmp/veeamdeployment*
veeamsvc ALL=(ALL) /usr/bin/zypper --terse --non-interactive --no-gpg-checks remove veeamdeployment
veeamsvc ALL=(ALL) /usr/bin/dpkg --force-confold --install /tmp/*
veeamsvc ALL=(ALL) /usr/bin/dpkg --purge veeamdeployment

#Assign Permissions
veeamsvc ALL=(ALL) /bin/chown -hR root /opt/veeam/deployment
veeamsvc ALL=(ALL) /bin/chmod 755 /opt/veeam/
veeamsvc ALL=(ALL) /bin/chmod 755 /opt/veeam/deployment
veeamsvc ALL=(ALL) /bin/chmod 755 /opt/veeam/deployment/ca-trusted
veeamsvc ALL=(ALL) /bin/chmod 755 /opt/veeam/deployment/scripts
veeamsvc ALL=(ALL) /bin/chmod 644 /opt/veeam/deployment/ca-trusted/*
veeamsvc ALL=(ALL) /bin/chmod 644 /opt/veeam/deployment/libVeeamDeploymentDll.so
veeamsvc ALL=(ALL) /bin/chmod 644 /opt/veeam/deployment/scripts/veeamdeployment
veeamsvc ALL=(ALL) /bin/chmod 644 /opt/veeam/deployment/scripts/veeamdeployment.service
veeamsvc ALL=(ALL) /bin/chmod 644 /opt/veeam/deployment/VeeamDeploymentConfig
veeamsvc ALL=(ALL) /bin/chmod 744 /opt/veeam/deployment/veeamdeploymentsvc

#RM
veeamsvc ALL=(ALL) /bin/rm -rf /opt/veeam/deployment
veeamsvc ALL=(ALL) /bin/rm /etc/veeam/immureposvc/timeLog
veeamsvc ALL=(ALL) /bin/rm /etc/veeam/immureposvc/retainLock
veeamsvc ALL=(ALL) /bin/rm /etc/veeam/immureposvc/config
veeamsvc ALL=(ALL) /bin/rmdir /etc/veeam/immureposvc

#Set Immutablility
veeamsvc ALL=(ALL) /bin/chattr -i /etc/veeam/immureposvc/timeLog
veeamsvc ALL=(ALL) /bin/chattr -i /etc/veeam/immureposvc/retainLock
veeamsvc ALL=(ALL) /bin/chattr -i /etc/veeam/immureposvc/config

#Process Management
veeamsvc ALL=(ALL) /usr/bin/fuser /var/lib/dpkg/lock-frontend
veeamsvc ALL=(ALL) /usr/bin/fuser /var/lib/dpkg/lock

More Information

The following command can be used to validate the sudoers drop-in file:
sudo visudo -cf /etc/sudoers.d/veeamsvc
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.