#1 Global Leader in Data Resilience
#1 Global Leader in Data Resilience
BACK TO KB LIST

Granular sudo Permissions for Management of Proxmox VE Host

KB ID: 4701
Product: Veeam Backup & Replication | 12.3
Published: 2025-02-24
Last Modified: 2025-02-26
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Considerations and System Requirements
  • Proxmox VE does not include the sudo package and associated command by default and must be installed manually.
  • The capability to add Proxmox VE to Veeam Backup & Replication using a non-root sudo user was added in Proxmox Virtual Environment Plug-In version 12.1.3.197 for Veeam Backup & Replication 12.3.

Purpose

This article provides an example granular ‘sudoers’ configuration for the Linux account that will be used by Veeam Backup & Replication when managing a Proxmox VE host.

Solution

Dedicated Proxmox Veeam User Creation

  1. Create an SSH login user.
    Note: For the example permissions below, the account is named veeamdep. Configure the sudoer permissions to match the user name you select.
  2. Within the Proxmox configuration, add the user into the Datacenter.
    Datacenter > Permissions > Users > Add
  3. Add the Administrator role for the root path ( Path: / ) to that user.
    Datacenter > Permissions > Add > User Permission
User Perms

Proxmox Veeam User Account Specifications

  • The Linux user account used by Veeam Backup & Replication for any Proxymox VE management operations must have /bin/bash shell set by default.
  • The account must have root-equivalent permissions, which may be optionally restricted to the following specific list of commands as shown in the example sudoers file below:
veeamdep ALL=(root) PASSWD: /usr/sbin/dmidecode -s system-uuid
veeamdep ALL=(root) PASSWD: /usr/bin/kvm -S *
veeamdep ALL=(root) PASSWD: /usr/bin/qemu-img info *
veeamdep ALL=(root) PASSWD: /usr/bin/qemu-img create *
veeamdep ALL=(root) PASSWD: /usr/sbin/qm create *
veeamdep ALL=(root) PASSWD: /usr/sbin/qm ^showcmd [0-9]+ --pretty$
veeamdep ALL=(root) PASSWD: /usr/sbin/qm ^unlock [0-9]+$
veeamdep ALL=(root) PASSWD: /usr/bin/socat ^TCP-LISTEN:[0-9]+,bind=127\.0\.0\.1 UNIX-CONNECT:/[a-zA-Z0-9_./-]+$
veeamdep ALL=(root) PASSWD: /usr/bin/mkdir -p /var/lib/vz/snippets/
veeamdep ALL=(root) PASSWD: /usr/bin/pvenode cert info --output-format json
veeamdep ALL=(root) PASSWD: /usr/bin/pvesh ^get storage/([a-zA-Z0-9_-]+) --output json$
veeamdep ALL=(root) PASSWD: /usr/bin/pvesh ^set /nodes/([a-zA-Z0-9_-]+)/qemu/([0-9]+)/config --lock ([a-zA-Z]+)$
veeamdep ALL=(root) PASSWD: /usr/bin/pkill -9 -e -f -x socat *
veeamdep ALL=(root) PASSWD: /usr/sbin/lvchange -ay *
veeamdep ALL=(root) PASSWD: /usr/sbin/lvchange -an *
veeamdep ALL=(root) PASSWD: /usr/bin/rbd device map *
veeamdep ALL=(root) PASSWD: /usr/bin/mv ^-n /tmp/([a-zA-Z0-9_-]+\.config) /var/lib/vz/snippets/([a-zA-Z0-9_-]+\.config)$
veeamdep ALL=(root) PASSWD: /usr/bin/rm ^/[a-zA-Z0-9_/-]+/VeeamTmp[a-zA-Z0-9_.-]+$
veeamdep ALL=(root) PASSWD: /usr/bin/rm ^-f /[a-zA-Z0-9_/-]+/VeeamTmp[a-zA-Z0-9_.-]+$
veeamdep ALL=(root) PASSWD: /usr/bin/rm ^-f /var/lib/vz/snippets/[a-zA-Z0-9_-]+\.config$
veeamdep ALL=(root) PASSWD: /usr/bin/rm ^-f /var/lib/vz/template/iso/[a-zA-Z0-9_.-]+\.img$

Credentials Configuration within Veeam Backup & Replication 

Note: When using granular sudo permissions, ensure that the following options are not selected:

  • Add account to the sudoers file — Enabling this option would cause the Veeam software to add the account to the sudoers file with broader permissions than those specified in the granular sudoers example.
  • Use "su" if "sudo" fails — Enabling this option would cause Veeam Backup & Replication to switch to using the root account if any of the sudo commands fail due to a command not being included in the granular sudoers file. This could potentially mask a needed update to the granular sudoers file.
no root
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Start using Veeam:
Download the product
&
Activate the license key
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.