Previous Topic: Trace Levels for the AS/400 Enterprise OptionNext Topic: Backup and Restore Access Control List Support for UNIX and Linux

Introducing Arcserve Backup Agents and OptionsUsing AgentsClient AgentAdding and Configuring the Client AgentsUNIX, Linux, and Mac OS X Client Agent ConfigurationUNIX, Linux, and Mac OS X Access Control Lists

UNIX, Linux, and Mac OS X Access Control Lists

For UNIX, Linux, and Mac OS X client agents, ACLs are supported in Single User mode only. This is also known as No Password mode. A UNIX, Linux, and Mac OS X client agent—or database backup agent—can be put into Single User mode by specifying a NOPASSWORD entry in its corresponding section in the Common Agent configuration file, agent.cfg, located in /opt/CA/ABcmagt. A UNIX, Linux, and Mac OS X client agent can also be put into Single User mode by specifying the -S or -NOPASSWORD option in the uag.cfg. You can use two types of ACLs with the UNIX, Linux, or Mac OS X client agent:

Example: Allow or Deny Users

An access control list can deny or allow specific users to perform backups or restores. For example, a part of the agent.cfg file is shown in the following sample. You need to make similar changes for other client agent sections if you want to apply ACLs to those client agents too.

[0]
NAME ABagentux
VERSION nn.n.n
HOME /opt/Arcserve/ABuagent
NOPASSWORD
CAUSER A:CAUSER1 N:CAUSER2

NOPASSWORD enables Single User mode, and CAUSER specifies the users for whom permission is being granted or denied. (A stands for ALLOW and N stands for DENY.) A:CAUSER1 enables CAUSER1 to perform jobs, and N:CAUSER2 denies access to CAUSER2.

Note: For UNIX and Linux client agents, the object type is [0]. For the Mac OS X client agent, the object type is [4].

Example: Access the System with IP Addresses

An access control list can determine whether specific IP addresses can access the system. For example, a part of the agent.cfg file is shown in the following sample. You must make similar changes for other client agent sections of the file if you want to apply ACLs to those client agents too.

[0]
NAME ABagentux
VERSION nn.n.n
HOME /opt/Arcserve/ABuagent
NOPASSWORD
ALLOW N:172.16.0.0(255.255.255.0) H:172.31.255.255
DENY N:192.168.0.0(255.255.255.0) H:192.168.255.255

NOPASSWORD enables the Single User mode, and ALLOW and DENY specify whether a particular network or IP address is allowed to access the system. N denotes a network address and H denotes a host’s IP address.

Note: An optional subnet mask can follow a network address; subnet masks are shown in parentheses.

For UNIX, Linux, and Mac OS X client agents, the specific type of ACL can be specified in uag.cfg, or you can specify them using the -S, -NOPASSWORD, -CAUSER, -ALLOW, and -DENY options. For more information about these options, see the section Configurable Options.

You can apply both types of ACLs concurrently. In each case, DENY takes precedence over ALLOW. In the Single User mode, all operations on the client agent are performed with superuser privileges. The caagentd.log contains information about the users, IP addresses, and network addresses denied during Single User mode.