Adding an Alternate Symantec Veritas Backupexec User in Linux (RALUS)

So, I got frustrated recently at the fact that install documents for
Symantec/Veritas BackupExec simply states that you should use the root
user as the user that the backupexec agent (RALUS in linux) connects
to and runs as remotely.  I find that simply unacceptable, and in most
companies would simply be a violation of policy…the whole allowing a
remote connection to root part of it.  So I dug around for a few
minutes and came up with a solution which isn’t perfect, but it’s much
better than what they suggest in the backupexec manual (just using the
root user) . Lets create a root-like user, but strip them of certain
privileges…like a login shell…how handy.

First lets gather a little info about what a root user looks like…the
groups it’s in, the UID it has, etc…

** You either need to be logged into root, or have sudo access to root
do do this, and FYI I removed my password hashes for security…duh.

#id root && sudo -u root grep root /etc/passwd && sudo -u root grep
root /etc/shadow

You should get something similar to:

uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
root:x:0:0:root:/root:/bin/bash
root:<PasswordHashHere>:14634:0:99999:7:::

So basically that’s all the info we need to make our new backupexec
user as all powerful as the root user.

Lets implement what we gathered, but first lets look at what the
following command actually does; /usr/sbin/adduser is the binary (or
symlink to it) that adds users in linux. And the options we are going
to use are:

-u 0  (sets the user id number to 0 which matches root)

-o  (ignore the fact that another user already has this user id
number…root already has it…and that’s what we want)

-g 0 (set the initial group, or “default” group for our new user to
0…to match the root user’s initial login group)

-G 1,2,3,4,6,10  (add the user to the following auxiliary groups…to
match the same aux group as root)

-M (means don’t bother creating a home directory…we don’t need one
since it won’t be getting a shell anyhow)

-s /sbin/nologin (set the login shell to nologin which “politely
refuse a login” to ssh…meaning no interactivity which is fine for
this)

Ahh…now lets run it…notice the username at the very end. I picked
beoper as the user because that’s the group name that the default
backupexec installer creates…so I just chose to stick with it…you can
substitute any user name you like for “beoper”.

# /usr/sbin/adduser -u 0 -o -g 0 -G 0,1,2,3,4,6,10 -M -s /sbin/nologin beoper

Don’t forget to set a password for you new beoper user.

# sudo -u root passwd beoper

Now just edit /etc/group file and add your new “beoper” user to your
beoper group that the backupexec installer created, and you should be
good to go.

# sudo -u root /usr/sbin/vigr

Please let me know if this actually helps anyone…or if we need to make
any changes to make it more better…yes indeed I said more better. I
for one think there needs to be at least a mention of this, or similar
alternative in the Symantec Veritas Backupexec manual…at least as an
option to not use the root account!

Posted in Reviews, Recommendations, Best Practices

Leave a Reply

Your email address will not be published. Required fields are marked *

*