Permissions for Veeam backup Linux repositories

0 Flares Twitter 0 Facebook 0 LinkedIn 0 Email -- 0 Flares ×

I’ve seen often Veeam users to configure their repositories using administrative permissions. This is a really bad practice as the most precious part of a Veeam environment, the backup files, are then exposed to security risks, in case anyone can obtain those credentials. And with the raise of cryptolockers and ransomware this behavior has become even more dangerous. For Linux repositories, users can configure their servers to use common users.

Linux repositories in Veeam

Veeam Backup & Replication, even if it’s mainly a Windows software, can also consume Linux servers as its backup repositories. The requirements are really simple, as you only need to be able to access the Linux box via ssh, and there must be Perl installed in the machine. Any distribution with these two requirement is supported. In my Lab I usually use CentOS, so my examples here will be based on this distribution; please adapt the different commands to your own distribution, if needed.
The super quick recommendation for you is: you do not need root to use a Linux repository!
Veeam only needs a regular user that has sufficient permissions to the folder where you want to store backups. Not even sudo is required. Besides, it is generally not considered best practice to provide sudo access to accounts used for Linux repositories. Far better is to create a restricted user and set the permissions on the repository directory to only that user.
Actually, the only real reason Veeam may need a root account at all is to initially modify sudoers, but if people are willing to add the veeam user account to sudoers manually (or via some configuration management) then we don’t need a root account as we’ll just use a regular account and sudo when required for things like file restore.

A practical example

In a new Veeam linux repository I have mounted a new backup volume as /mnt/veeamrepo:
[root@linuxrepo ~]# df -hT
Filesystem                    Type      Size  Used Avail Use% Mounted on
/dev/mapper/cl_linuxrepo-root xfs       8.0G  1.5G  6.5G  19% /
devtmpfs                      devtmpfs  1.9G     0  1.9G   0% /dev
tmpfs                         tmpfs     1.9G     0  1.9G   0% /dev/shm
tmpfs                         tmpfs     1.9G  8.5M  1.9G   1% /run
tmpfs                         tmpfs     1.9G     0  1.9G   0% /sys/fs/cgroup
/dev/sda1                     xfs      1014M  186M  829M  19% /boot
/dev/rbd0                     xfs       200G   33M  200G   1% /mnt/veeamrepo
tmpfs                         tmpfs     380M     0  380M   0% /run/user/0
This volume, with 200GB of free space, is the folder where I want to store my Veeam backups. For this, I need to setup the needed permissions. CentOS allows to create a new regular user directly during the installation process:
but let’s say we didn’t create any user yet, so we only have the root account in this machine. We first create a new user dedicated to our backups:
useradd -d /home/repouser -m repouser
passwd repouser
Then, we configure the folder permissions so that this is the user allowed to access the folder /mnt/veeamrepo:
chown repouser.repouser veeamrepo/
chmod 700 veeamrepo
What we have done here? We have changed the ownership of the folder to the user “repouser”, and we gave full permissions to this user only over the folder. Only this user has “rwx” permissions.  All others would be denied. Then, in Veeam, we go and configure the Linux repository. At the credentials step, we register the username we created before, with its password:
Before you can populate the list of available folders, remember you need to have the required Perl modules installed. On a CentOS 7 machine like mine, you can follow this blog post. If the software prerequisites are all satisfied, you will see the volume among the available ones:
And you can complete the wizard, and have your Linux repository ready to be used.
Before starting any backup, there’s one more thing you need to configure: just because you were able to connect via ssh, you may think that the Linux firewall is not enabled, but in reality it is enabled. So, if you just try to run a backup, at the “initializing storage” step, you will get an error:
The error says “A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond”. This error says that the proxy tried to connect to the repository over port 2500 (one of the dynamic RPC ports Veeam uses) but this port was not reachable. This is because the firewall is still up and running. You can decide to create a dedicated rule for Veeam, or to completely disable the firewall. On CentOS 7, you can do it by running these two commands:
systemctl disable firewalld
systemctl stop firewalld

What about root?

Regarding keeping root out of this folder, there’s really no practical way to do this. Some would say you can create a SElinux/Apparmor policy, but, the problem is, the user that is root can almost certainly reboot the system with these things disabled and/or change these policies. Otherwise, in every other scenario like the one I described, root can access the folder as much as the dedicated user. The normal way in the Linux world is, if you want to protect your files from root, would be to use per-user encryption. This is why many Linux distros ask you to setup home directory encryption during install. The root user can still access the files, but all of the data is encrypted and cannot be read without the passphrase.  I’d recommend the use of Veeam encryption for this use case to provide the same protection.