#1 Global Leader in Data Resilience
#1 Global Leader in Data Resilience
TRY NOW
book meeting
BACK TO KB LIST

Granular sudo Permissions for Management of Hardened Repository

KB ID: 4667
Product: Veeam Backup & Replication | 12.2 | 12.3 | 12.3.1 | 12.3.2 | 13
Published: 2024-09-26
Last Modified: 2024-12-17
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Purpose

This article documents the granular sudo permissions required to allow Veeam Backup & Replication to deploy and manage a Hardened Repository.

Solution

Account Requirements

  • The Linux user account used by Veeam Backup & Replication to deploy and manage the Hardened Repository must use the bash shell.
  • The Linux account used for a Hardened Repository must be a non-root account with root-equivalent permissions (sudo). Some administrators may prefer to restrict the account used by Veeam Backup & Replication to only be able to execute specific commands using sudo on the target Linux machine. (See example below.)

Granular Sudoer Drop-In Example

The example sudoers drop-in file below is compatible with all supported Linux distributions.

The example provided includes entries for the package managers of all supported Linux distributions. To further restrict sudoer permissions comment out or remove the lines for package managers not in use by the Linux distribution in use by the Hardened Repository.

  • Debian/Ubuntu — Remove lines 17-23.
  • SLES/openSUSE — Remove lines 17-21 and 24-25.
  • RHEL/AlmaLinux/Rocky Linux/Oracle Linux — Remove lines 22-25.
Example /etc/sudoers.d/veeamsvc file: 
#MISC
veeamsvc ALL=(ALL) /bin/whoami
veeamsvc ALL=(ALL) /bin/uname
veeamsvc ALL=(ALL) /bin/ls
veeamsvc ALL=(ALL) /bin/test

#CHECK DISTRO
veeamsvc ALL=(ALL) /bin/find /opt/veeam/deployment -type d
veeamsvc ALL=(ALL) /bin/find /opt/veeam/deployment -type f -not -path /opt/veeam/deployment/veeamdeploymentsvc

#Services
veeamsvc ALL=(ALL) /opt/veeam/deployment/veeamdeploymentsvc
veeamsvc ALL=(ALL) /opt/veeam/transport/veeamtransport
veeamsvc ALL=(ALL) /opt/veeam/transport/veeamtransport-link

#Package Management
veeamsvc ALL=(ALL) /bin/rpm --import /tmp/*
veeamsvc ALL=(ALL) /bin/rpm --install /tmp/veeamdeployment*
veeamsvc ALL=(ALL) /bin/rpm --erase veeamdeployment
veeamsvc ALL=(ALL) /bin/yum --assumeyes --errorlevel=0 install /tmp/*
veeamsvc ALL=(ALL) /bin/yum --assumeyes --errorlevel=0 remove veeamdeployment
veeamsvc ALL=(ALL) /usr/bin/zypper --terse --non-interactive --no-gpg-checks install --auto-agree-with-licenses --force-resolution /tmp/veeamdeployment*
veeamsvc ALL=(ALL) /usr/bin/zypper --terse --non-interactive --no-gpg-checks remove veeamdeployment
veeamsvc ALL=(ALL) /usr/bin/dpkg --force-confold --install /tmp/*
veeamsvc ALL=(ALL) /usr/bin/dpkg --purge veeamdeployment

#Assign Permissions
veeamsvc ALL=(ALL) /bin/chown -hR root /opt/veeam/deployment
veeamsvc ALL=(ALL) /bin/chmod 755 /opt/veeam/
veeamsvc ALL=(ALL) /bin/chmod 755 /opt/veeam/deployment
veeamsvc ALL=(ALL) /bin/chmod 755 /opt/veeam/deployment/ca-trusted
veeamsvc ALL=(ALL) /bin/chmod 755 /opt/veeam/deployment/scripts
veeamsvc ALL=(ALL) /bin/chmod 644 /opt/veeam/deployment/ca-trusted/*
veeamsvc ALL=(ALL) /bin/chmod 644 /opt/veeam/deployment/libVeeamDeploymentDll.so
veeamsvc ALL=(ALL) /bin/chmod 644 /opt/veeam/deployment/scripts/veeamdeployment
veeamsvc ALL=(ALL) /bin/chmod 644 /opt/veeam/deployment/scripts/veeamdeployment.service
veeamsvc ALL=(ALL) /bin/chmod 644 /opt/veeam/deployment/VeeamDeploymentConfig
veeamsvc ALL=(ALL) /bin/chmod 744 /opt/veeam/deployment/veeamdeploymentsvc

#RM
veeamsvc ALL=(ALL) /bin/rm -rf /opt/veeam/deployment
veeamsvc ALL=(ALL) /bin/rm /etc/veeam/immureposvc/timeLog
veeamsvc ALL=(ALL) /bin/rm /etc/veeam/immureposvc/retainLock
veeamsvc ALL=(ALL) /bin/rm /etc/veeam/immureposvc/config
veeamsvc ALL=(ALL) /bin/rmdir /etc/veeam/immureposvc

#Set Immutablility
veeamsvc ALL=(ALL) /bin/chattr -i /etc/veeam/immureposvc/timeLog
veeamsvc ALL=(ALL) /bin/chattr -i /etc/veeam/immureposvc/retainLock
veeamsvc ALL=(ALL) /bin/chattr -i /etc/veeam/immureposvc/config

#Process Management
veeamsvc ALL=(ALL) /usr/bin/fuser /var/lib/dpkg/lock-frontend
veeamsvc ALL=(ALL) /usr/bin/fuser /var/lib/dpkg/lock

More Information

The following command can be used to validate the sudoers drop-in file: 
sudo visudo -cf /etc/sudoers.d/veeamsvc

Related Articles

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Start using Veeam:
Download the product
&
Activate the license key
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.