Unsolved
61 Posts
0
445
May 11th, 2022 13:00
Any server where the user logs in as "administrator" can recover data from all servers!
This was unexpectedly reported by a consultant who asked us to backup his laptop tried to recover a file.
Where should I be looking? I don't have any wildcards but
nsradmin -> show -> print type:NSR usergroup
is messy,
for the user groups should it not be user@server ? rather that user=X, host=Y
Also I read this.
The following users have permission to recover any files on any client, regardless of the users who
are listed in the Remote Access attribute:
‘Root’ user on a UNIX host
Member of the ‘Administrators’ local group on a Windows host
Members of a ‘Application Administrator’ User group on the NetWorker Server
Members of a NetWorker Server User group that has the ‘Change Security Settings’ privilege
Does this mean networker can only be installed where you have total control of the "admin/root" users on all servers?
bingo.1
2.4K Posts
1
May 11th, 2022 14:00
NetWorker uses an independent user/rights scheme. And the NW account 'administrator' is the super-user for the whole data zone.
If you use the Admin GUI you indeed have access to all backup data which have been created within the data zone. That of course simplyfies the scenario where he needs to assist others recovering their data. This is called the 'directed recovery' method.
Of course you can define other users with their specific/limited privileges but the 'administrator' can do everything - one must rule the game.
If you are using a client recovery method - either the 'recover' command or the Windows User GUI (winworkr.exe), you will have the appropriate rights of your user account.
To fulfill all necessary tasks, it is recommended to install NW as the 'OS super user' which is 'administrator' for Windows and 'root' for UNIX/Linux.
Max_Williamson
61 Posts
0
May 12th, 2022 02:00
We have dealt with the problem. Caused by historical "issues". and people not specyfing a host component to the access lists!
However I still have issues with
The following users have permission to recover any files on any client, regardless of the users who
are listed in the Remote Access attribute:
Root .....
Can I check that root of one server can NOT recover from the backup of another sever.
So Steve (the root owner of the H.R. server) can not recover from John (root owner for intellectual property server).
barry_beckers
393 Posts
1
May 15th, 2022 09:00
That sentence is about local files is my experience. So the local root and Administrator users can always restore the files from their own client.
If remote access is defined than only with the windows networker user gui, you'd see the other clients besides the local client.
Other os platforms do not have a gui anymore since some nw8.x version. There was an issue with the gui and instead of fixing it, it seemed it was simply removed. Possibly as unix/linux admins would be all about cli anyways. However that is my inpretation of how that went as it does not make sense to depricate the nw gui on unix/linux, but keeping it for windows without clearly stating why?
Nw user/rbac is still one of the major painpoints of the product. Still not always clearly stating what permissions are needed when, leading at times to specify too much.
And then there is the dreaded let's give nw admin permissions and give the clients remote access *@* and call it a day. There are still many kb articles that state as a "solution" instead of calling it a workaround to test functionality in case if issues.
With more recent features like nw vproxy to make vmware image level backups actual granular permissions are (too?) much to be desired for. You want and needactual control over pretty much anything, down to asingle vm or even disk.
Yes we came from far, from the times that all oracle users needed to be nw admin, but there is still a long way to go.
Let's see how well PPDM does wrg to that when testing this soon?
Max_Williamson
61 Posts
0
May 15th, 2022 09:00
thanks to all the replies.