HP-UX Whitelisting A.01.02 Administrator Guide (766164-001, March 2014)
Example 4 Backup and restore without wliwrap
The alternative to temporarily granting wmd capability with wliwrap is to permanently grant wmd
with wlisign. This example describes how to create an archive containing policy protected files
with a backup command granted permanent wmd capability. The archive is then restored with a
restore command also granted permanent wmd capability.
For this example, the platform has VxFS 5.0.1 file systems installed and the wmdstoretype
attribute has value auto, set by the wlisys command. This combination implies that named data
streams are used to store policy protected metadata. Veritas NetBackup is then required to backup
files with named data streams. The bpbackup and bprestore commands are installed for backup
and restore operations respectively.
The commands are signed and granted wmd:
% wlisign -a -k adm1.pvt -o wmd /usr/openv/netbackup/bin/bpbackup
% wlisign -a -k adm1.pvt -o wmd /usr/openv/netbackup/bin/bprestore
To grant wmd to the commands, the adm1.pvt key must be a WLI administrator key. This key was
granted administrator privilege in Example 1 (page 40).
The bpbackup and bprestore commands are now able to backup and restore metadata in
named data streams as well as in regular files. These commands have wmd capability that grants
read/write access to all metadata, whether stored in named streams or in regular files under
.$WLI_POLICY$ directories. The wmd capability also permits bpbackup and bprestore to
access policy protected files without permanent regard to policy restrictions. Due to security concerns,
HP does not recommend granting a command permanent wmd capability.
For example, to start a user backup of the files listed in backup_list:
% bpbackup -f backup_list
To restore the files in backup_list:
% bprestore -f backup_list
File ownership and permissions bits must also allow access to bpbackup and bprestore.
43