Phani's profile - activity

2018-03-23 06:23:20 -0600 received badge  Editor (source)
2018-03-23 06:02:13 -0600 answered a question can we run network backup agent as not root user

Thanks for the comments Jameer.

As known, the privileges functionally needed by the agent are only read privilege on the files/folders being backedup and write permission on Vembu's housekeeping data folders. So mandating the agent to be run as admin(super) user is violation of the cardinal security "Principle of least Privilege" (https://en.wikipedia.org/wiki/Principleofleast_privilege) . Running agent as root is a security vulnerability. Example of a potential risk: a malicious program/hacker exploiting this and getting other files out of the host via the agent since superuser has permission to read any file on the server. This is just one example and there could be many potential exploitations of this vulnerability. Moreover, Vembu backup works as a pull model. i.e. backup schedule is maintained on the external backup server & for backup, program running on backup server contacts the agent running on the database server and pulls the data via the agent. Consequently the agent needs to be up and listening 24x7 since it doesn't know when all the backup server machine program will request for data. For production envs, running 24x7 aggravates the security vulnerability of the agent running as root.

It is more than an year since we brought up this legitimate concern. We would appreciate if Vembu can expedite the testing and certification of scenario of running the Vembu backup agent as non-admin account. We are using Ubuntu Linux 14.04; This would further enhance customer satisfaction & security compliance of your good product.

2018-03-14 06:36:14 -0600 answered a question can we run network backup agent as not root user

Jameer, 1) Any updates on this. ? 2) I had looked at the code of the Vembu agent script startVembuNetworkBackup.sh and realised that passing it nonrootusername as command line parameter cause the agent process to run as that non-root user; We even tested it by starting up the agent giving nonroot user as param and ran backups etc. All were successful. Can you comment if we can use this method. -Phani Arega

2016-12-30 10:56:49 -0600 commented answer can we run network backup agent as not root user

Jameer, Regarding the Vembu backup agent process (VembuNetworkBackup that listens on port 31005) running as root, it doesn't have any chroot privilege dependency right? So with the current product code, could you let us know if and what is the way to run this agent process as non root user (while apache runs as root)

Copyright © Vembu Technologies 2020. All Rights Reserved.