Veeam Support Knowledge Base
Granular sudo Permissions Required for Management of Linux-base Tape Server

Granular sudo Permissions for Management of Linux-base Tape Server

KB ID:	4558
Product:	Veeam Backup & Replication \| 12.1
Published:	2024-03-11
Last Modified:	2024-12-17

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

Oops! Something went wrong.

Please, try again later.

Purpose

This article provides an example of a granular ‘sudo’ configuration for the Linux account that Veeam Backup & Replication will use when managing a Linux-based Tape Server.

Solution

The Linux user account used by Veeam Backup & Replication to connect to the Linux-based Tape Server use the bash shell.
The Linux account must have either root or root-equivalent permissions. In the latter case, some administrators may prefer to restrict the account used by Veeam Backup & Replication to execute only a specific required list of commands as a sudoer on the target Linux machine. (See example below.)

#MISC 
restricteduser ALL=(root) /usr/bin/id -au
restricteduser ALL=(root) /usr/bin/whoami
 
#MKDIR
restricteduser ALL=(root) /bin/mkdir -p /opt/veeam
 
#Check host type
restricteduser ALL=(root) /bin/uname --machine
restricteduser ALL=(root) /bin/uname -r
restricteduser ALL=(root) /bin/ls /etc/exagrid-veeam-version
restricteduser ALL=(root) /bin/ls /tmp/Veeam_enabled
restricteduser ALL=(root) /bin/ls /tmp/Veeam_enabled_Infinidat
restricteduser ALL=(root) /bin/ls /tmp/Veeam_enabled_Fujitsu
restricteduser ALL=(root) /bin/ls /tmp/Veeam_enabled*
 
#RM
restricteduser ALL=(root) /bin/rmdir /opt/veeam
restricteduser ALL=(root) /bin/rmdir /opt/veeam/Upload
restricteduser ALL=(root) /bin/rm -rf /opt/veeam/deployment*
restricteduser ALL=(root) /usr/bin/rm /opt/veeam/veeaminstaller
 
#DEPLOYMENT SERVICE
restricteduser ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --dll-version
restricteduser ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-port
restricteduser ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --uninstall
restricteduser ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-user restricteduser
restricteduser ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --disable-restricted-mode
restricteduser ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-base-log-path /var/log/VeeamBackup
restricteduser ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --restart
restricteduser ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-fingerprint
restricteduser ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install 6160
restricteduser ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install-server-certificate /tmp/VeeamUpload*/ServerCertificate
restricteduser ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --install-certificate /tmp/VeeamUpload*/ClientCertificate
restricteduser ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-max-log-size 10485760
restricteduser ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --set-max-log-count 10
restricteduser ALL=(root) /opt/veeam/deployment/veeamdeploymentsvc --get-bios-uuid
 
#TRANSPORT
restricteduser ALL=(root) /opt/veeam/transport/veeamtransport --version
restricteduser ALL=(root) /opt/veeam/transport/veeamtransport-link --get-user
restricteduser ALL=(root) /opt/veeam/transport/veeamtransport --disable-restricted-mode
restricteduser ALL=(root) /opt/veeam/transport/veeamtransport-link --set-user root
restricteduser ALL=(root) /bin/ls /opt/veeam/transport/veeamtransport-link
restricteduser ALL=(root) /opt/veeam/transport/veeamtransport-link --set-user restricteduser
restricteduser ALL=(root) /opt/veeam/transport/veeamtransport --set-option BaseLogDirectory --set-option-value /var/log/VeeamBackup
restricteduser ALL=(root) /opt/veeam/transport/veeamtransport --set-option FirewallPortRange --set-option-value *
restricteduser ALL=(root) /opt/veeam/transport/veeamtransport --enable-restricted-mode
restricteduser ALL=(root) /opt/veeam/transport/veeamtransport --set-option MaxLogSize --set-option-value 10485760
restricteduser ALL=(root) /opt/veeam/transport/veeamtransport --set-option MaxLogCount --set-option-value 10
restricteduser ALL=(root) /opt/veeam/transport/veeamtransport --get-port
restricteduser ALL=(root) /opt/veeam/transport/veeamtransport --uninstall
restricteduser ALL=(root) /bin/rm -rf /opt/veeam/transport
 
#TAPE
restricteduser ALL=(root) /opt/veeam/tapeproxy/veeamtapeproxy --set-owner *
restricteduser ALL=(root) /opt/veeam/tapeproxy/veeamtapeproxy --uninstall
restricteduser ALL=(root) /bin/rm -rf /opt/veeam/tapeproxy
 
#Additions
restricteduser ALL=(root) /bin/test -d /tmp/
restricteduser ALL=(root) /bin/rm -f /tmp/Veeam*
restricteduser ALL=(root) /bin/touch /tmp/Veeam*
restricteduser ALL=(root) /bin/chmod 0700 /tmp/Veeam*
 
# Upload and unpack deployer
restricteduser ALL=(root) /usr/bin/chmod 0766 /opt/veeam/Upload/*                                                                                                                             
restricteduser ALL=(root) /usr/bin/mkdir --parents /opt/veeam/deployment
restricteduser ALL=(root) /usr/bin/mkdir --parents /opt/veeam/Upload/*
restricteduser ALL=(root) /usr/bin/touch /opt/veeam/Upload/*                                                                                                                                                
restricteduser ALL=(root) /bin/touch /tmp/VeeamDeploymentSvc*
restricteduser ALL=(root) /bin/tar xvzf /tmp/VeeamDeploymentSvc* -C /opt/veeam/deployment --no-same-owner
restricteduser ALL=(root) /bin/cp -f /home/restricteduser/* /tmp/VeeamDeploymentSvc*
restricteduser ALL=(root) /bin/chmod 0644 /tmp/VeeamDeploymentSvc*
restricteduser ALL=(root) /bin/cp -f /home/restricteduser/* /opt/veeam/Upload/*
restricteduser ALL=(root) /usr/bin/rm -f /tmp/VeeamDeploymentSvc*
restricteduser ALL=(root) /bin/rm -rf /opt/veeam/Upload/*
restricteduser ALL=(root) /bin/ls -d /opt/veeam/deployment
 
# Set rights
restricteduser ALL=(root) /bin/chown -hR root /opt/veeam/deployment
restricteduser ALL=(root) /bin/find /opt/veeam/deployment -type d
restricteduser ALL=(root) /bin/chmod 755 /opt/veeam/*                                                                                              
restricteduser ALL=(root) /bin/find /opt/veeam/deployment -type f -not -path /opt/veeam/deployment/veeamdeploymentsvc
restricteduser ALL=(root) /bin/chmod 644 /opt/veeam/deployment/*
restricteduser ALL=(root) /bin/chmod 744 /opt/veeam/deployment/veeamdeploymentsvc
                
            

More Information

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

Product

Topic

Description

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.

Verify your email to continue your product download

We've sent a verification code to:

An email with a verification code was just sent to

Didn't receive the code? Click to resend in sec

Didn't receive the code? Click to resend

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

NEW 12.3 RELEASE

Granular sudo Permissions for Management of Linux-base Tape Server

Cheers for trusting us with the spot in your mailbox!

Oops! Something went wrong.

Purpose

Solution

More Information

Related Articles

Spelling error in text

Thank you!

Oops! Something went wrong.

You have selected too large block!

KB Feedback/Suggestion

Thank you!