Search <book_title>...

Veritas NetBackup™ Appliance Security Guide

Last Published: 2023-06-08

Product(s): Appliances (5.1.1)

Platform: NetBackup Appliance OS

About the NetBackupCLI user role

A NetBackupCLI user can execute all NetBackup commands, view logs, edit NetBackup touch files, and edit NetBackup notify scripts. NetBackupCLI users are solely restricted to run NetBackup commands with superuser privileges and do not have access outside the scope of NetBackup software directories. Once these users log on, they are taken to a restricted shell from where they can run the NetBackup commands. The NetBackupCLI users share a home directory and do not have access to the NetBackup Appliance Web Console or the NetBackup Appliance Shell Menu.

Starting with appliance release 5.0, NetBackupCLI users can only run some commands as a superuser and are required to follow the NetBackup CLI authorization mechanism to authenticate and run such commands. Refer to the NetBackup Commands Reference Guide for more information on the exact permissions that are required by various NetBackup commands and command parameters.

The NetBackupCLI role can be assigned to a maximum of nine user groups at any given time. To create a local NetBackupCLI user, use the Manage > NetBackupCLI > Create command from theNetBackup Appliance Shell Menu. For more information, see the NetBackup Appliance Commands Reference Guide.

Note:

You cannot grant the NetBackupCLI role to an existing local user.

Table: Privileges and restrictions of the appliance NetBackupCLI user lists the rights and restrictions of NetBackupCLI users.

Table: Privileges and restrictions of the appliance NetBackupCLI user

Privileges	Restrictions
The NetBackupCLI user can use the NetBackup Appliance Shell Menu to do the following: Run the NetBackup CLI and access the NetBackup directories and files. Modify or create NetBackup notify scripts using the cp-nbu-notify command. Run the following NetBackup commands and for the following directories that contain the NetBackup CLI: `/opt/VRTSpbx/bin/` `/opt/VRTS/bin/` `/usr/openv/db/bin/` `/usr/openv/mqbroker/bin/goodies/` `/usr/openv/mqbroker/bin/install/` `/usr/openv/netbackup/bin/` `/usr/openv/netbackup/bin/admincmd/` `/usr/openv/netbackup/bin/goodies/` `/usr/openv/netbackup/bin/goodies/support/` `/usr/openv/netbackup/bin/support/` `/usr/openv/pdde/pdcr/bin/` `/usr/openv/pdde/vpfs/bin/` `/usr/openv/volmgr/bin/` `/usr/openv/volmgr/bin/goodies/` `/usr/openv/pdde/pdcr/bin/crcontrol` `/usr/openv/pdde/pdag/bin/mtstrmd` `/usr/openv/pdde/pdag/bin/pdcfg` `/usr/openv/pdde/pdag/bin/pdusercfg` `/usr/openv/pdde/pdconfigure/pdde`	The following restrictions are placed on NetBackupCLI users: NetBackupCLI users do not have access outside of the NetBackup software directories. They cannot edit the `bp.conf` file directly using an editor. Use the bpsetconfig command to set an attribute. The cp-nbu-config command supports creating and editing NetBackup touch configuration files only in the `/usr/openv/netbackup/db/config` directory. They cannot use the man or -h command to see the help of any other command. They cannot execute any command with an absolute path. All commands must be executed only with a short name. They cannot run most of the system commands, except a few read-only system commands, such as cat, date, whoami, ls, which, grep, sort, cut, jq and vi commands that work in read-only mode.

Privileges

Restrictions

The NetBackupCLI user can use the NetBackup Appliance Shell Menu to do the following:

Run the NetBackup CLI and access the NetBackup directories and files.
Modify or create NetBackup notify scripts using the cp-nbu-notify command.
Run the following NetBackup commands and for the following directories that contain the NetBackup CLI:
- /opt/VRTSpbx/bin/*
- /opt/VRTS/bin/*
- /usr/openv/db/bin/*
- /usr/openv/mqbroker/bin/goodies/*
- /usr/openv/mqbroker/bin/install/*
- /usr/openv/netbackup/bin/*
- /usr/openv/netbackup/bin/admincmd/*
- /usr/openv/netbackup/bin/goodies/*
- /usr/openv/netbackup/bin/goodies/support/*
- /usr/openv/netbackup/bin/support/*
- /usr/openv/pdde/pdcr/bin/*
- /usr/openv/pdde/vpfs/bin/*
- /usr/openv/volmgr/bin/*
- /usr/openv/volmgr/bin/goodies/*
- /usr/openv/pdde/pdcr/bin/crcontrol
- /usr/openv/pdde/pdag/bin/mtstrmd
- /usr/openv/pdde/pdag/bin/pdcfg
- /usr/openv/pdde/pdag/bin/pdusercfg
- /usr/openv/pdde/pdconfigure/pdde

The following restrictions are placed on NetBackupCLI users:

NetBackupCLI users do not have access outside of the NetBackup software directories.
They cannot edit the bp.conf file directly using an editor. Use the bpsetconfig command to set an attribute.
The cp-nbu-config command supports creating and editing NetBackup touch configuration files only in the /usr/openv/netbackup/db/config directory.
They cannot use the man or -h command to see the help of any other command.
They cannot execute any command with an absolute path. All commands must be executed only with a short name.
They cannot run most of the system commands, except a few read-only system commands, such as cat, date, whoami, ls, which, grep, sort, cut, jq and vi commands that work in read-only mode.

How to run NetBackup commands as a NetBackupCLI user

Log in as a NetBackupCLI user and type Command at the command prompt to enter into a restrictive shell environment. You can then run the NetBackup commands from that shell. Using absolute paths to run NetBackup commands is not allowed. For example, you can run bplist but you cannot run /usr/openv/netbackup/bin/admincmd/bplist from the command shell.

You may need additional authorization before you can run some of the NetBackup commands. You will see a different authorization prompt depending on the NetBackup command you are trying to run.

The following list describes the typical scenarios for successfully executing NetBackup commands:

Authorization prompt: web login is required
Some NetBackup commands may require a web login. You will see the following prompt:
A web login is required. Run the 'bpnbat -login -loginType WEB|WEBUI|APIKEY' command to login. EXIT STATUS 5930: The request could not be authorized.
To authenticate such requests, you must log in to the NetBackup Web Management Service as a NetBackup administrator and run the following command:
myappliance.NBCLIUSER> bpnbat -login -logintype WEB
The following shows an example WEB login:
```
Authentication Broker: ApplianceHostname
Authentication Port: 0
Authentication Type: unixpwd
LoginName: Username
Password: Password
Operation completed successfully.
```
Authorization prompt: web ui login required
Some NetBackup commands may require an approval using an access token. To authenticate such requests, generate an access code by running the following command:
# bpnbat -login -logintype webui -requestApproval
Make a note of the access code that is displayed in the command window.
Sign in to the NetBackup web UI as a NetBackup Command Line (CLI) Admin user and approve the CLI access request by entering the access code that you generated earlier. For more information about access key and approval requests, refer to the NetBackup Security and Encryption Guide.
Authorization prompt: superuser privileges required
Some NetBackup commands may require superuser privileges. You will see the following prompt:
EXIT STATUS 140: user id was not superuser
To authenticate such requests, use sudo to elevate the privileges and run the NetBackup commands using the absolute path. For example:
# sudo /usr/openv/netbackup/bin/nbkmscmd -discoverNbkms
If the authentication messages persist even after you have used the absolute path and sudo, you can use the WEB login method described earlier and run the following command for authenticating the request:
# sudo /usr/openv/netbackup/bin/bpnbat -login -loginType WEB

General considerations:

The authentication cases described earlier are typical scenarios. Some NetBackup commands may require other authentication methods. Refer to the NetBackup Commands Reference Guide for more information on the exact permissions that are required by various NetBackup commands and command parameters.
Some NetBackup commands are run as root by default. You can verify whether a particular command requires root privileges by running the following command:
nbucliuser-!> alias | grep NetBackup command
For example, nbkms command runs as root by default:
nbucliuser-!> alias | grep nbkms
alias nbkms='sudo -n /usr/openv/netbackup/bin/nbkms'
Some NetBackup commands are run by the current NetBackupCLI user by default. But there are some NetBackup command parameters that require root privileges. In such cases, you can use 'sudo <absolute path of command> <parameters>' to run the command.
If you see a prompt "sudo: a password is required", it means that the command cannot be run as root. Contact Veritas Technical Support for help with such scenarios.

How to run special directive operations

Special directive operations can fail if the special directive files and commands are not in the correct NetBackup list or path. One example of a special directive operation is when you specify an alternate restore path.

Appliance users that need to run NetBackup commands to access special directive files as a NetBackupCLI user, must do the following to ensure successful operation:

Add the /home/nbusers path to the NetBackup bpcd allowed list.
Add the special directive commands to the /home/nbusers directory.

For details about adding entries to the NetBackup bpcd allowed list, refer to the BPCD_WHITELIST_PATH configuration option in the following documents:

NetBackup Administrator's Guide, Volume 1

NetBackup Commands Reference Guide