8

I'm working on an application which uses Volume Shadow Copy Service to backup a particular file at regular intervals. This works when run as admin but when I run the service under the "Network Service" account which I believed to be the correct choice for such as application I am unable to set the SE_BACKUP_NAME privilege and therefore unable to use VSS.

It seems incorrect to run the service as admin but that seems to be the only option. Do I have any other choice?

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
JWood
  • 263
  • 1
  • 3
  • 6
  • 2
    You can create a user with the required permissions specifically for this purpose –  May 16 '11 at 11:21
  • 4
    Is the "Backup Operators" group no longer around? Sounds like a good fit. – Cody Gray May 16 '11 at 11:37
  • Yeah, the backup operators might just be the answer. I've been looking at built-in user accounts and didn't realise there was a backup operators group. Seems like it should be what I need. –  May 16 '11 at 11:54

2 Answers2

5

Backup software should run as "a user with the lowest privilege level required in order for it to read & back up all of the files you want backed up".

Typically this means root (or some other UID 0 account) on Unix systems, and a member of the Backup Operators group on recent versions of Windows.
Some Windows backup software that doesn't take advantage of the Backup Operators functionality may need to be run from either a Local Admin or Domain Admin account, but these should be extremely rare, and if you're using backup software specifically for Windows that shouldn't happen...

voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • 2
    On Windows this isn't not as rare as it should be. e.g. Backup Exec, which is as common as flies on a cow, requires the account it uses to be a Domain Admin. – John Gardeniers Jun 03 '11 at 23:57
  • 1
    @John - We do not speak of the BackupExec in polite company. You know better. Now go into the server room, turn around 3 times, spit and curse. – voretaq7 Jun 04 '11 at 06:30
  • sorry. I don't know what came over me. I've done as instructed, plus made a circle of salt, just to be sure. – John Gardeniers Jun 04 '11 at 13:28
  • It's OK - we only said it's name twice. It can't come through the mirror unless we say it 3 times... – voretaq7 Jun 05 '11 at 23:21
  • The problem with "Backup Operators" is that ithas enough privileges to backup and restore all files. I really wish my backup software only had readonly access to the OS and the ability to invoke the volume shadow service. Restoring is done manually by the admin, and if necessary to be done by a daemon, then sudo/UAC should happen then. – Justin Dearing Jun 06 '11 at 16:26
-1

Normally backup software installation grants the correct privileges to the user the SysAdmin selects to run the backup.

If it is not your case, you should check the software documentation.

Generally, if you don't want to use a user member of Administrators group the user should be able to connect to the network (in your case) and to bypass security to make backup. You can grant this privileges in the Security Policy editor.

lrosa
  • 1,657
  • 14
  • 15
  • I'm not going to mark you down, but you need to clarify what you mean by "bypass security... grant privilege". It's not clear what you're suggesting and sounds like a security hole. – gravyface May 18 '11 at 12:59
  • 1
    I'm not as nice as @Gravyface. – Chris S May 18 '11 at 13:09
  • @gravyface, @Chris S: did you ever installed a backup software on Windows? Say BackupExec. Did you ever read the popup that appears right after you specify the user accout of BackupExec? Did you ever read what make a "Backup user" different from normal user in a Windows environment? – lrosa May 18 '11 at 13:40
  • 1
    Here's the Windows documentation: http://technet.microsoft.com/en-us/library/dd277311.aspx Backup Operators: "Allows the user to circumvent file and directory permissions to backup the system. The privilege is selected only when the application attempts to access through the NTFS backup application interface." – lrosa May 18 '11 at 13:43
  • @Irosa: yes, many times, but like I said, "bypass security" implies something entirely different than creating a backup user or adding a user to the Backup Operators group. – gravyface May 18 '11 at 13:46
  • "Bypass security to make backup" is exactly the privilege you grant to a user when you add it to backup operators. – lrosa May 18 '11 at 13:47
  • 1
    @Irosa: you need to add that link/explanation to your answer and I'm sure @Chris S and others will up vote you as that is indeed correct. – gravyface May 18 '11 at 13:49