Skip to main content
Solved

Authentication while installing and uninstalling Commvault software agent

  • January 5, 2022
  • 8 replies
  • 1156 views

Mohit Chordia
Byte
Forum|alt.badge.img+11

Hi Community ,

As a security ask , can we implement Commvault user authentication while installing or uninstalling cv software either locally or through console ?

I observe that while installing CV software locally , user authentication is required but while uninstalling there is no authentication requirement. Let me know if this is done for a purpose? 

 

Best answer by pgokhale

We can’t  control administrators doing actual install or uninstall of software on their own client.  

 

during installation:  They install software on the client (no commvault permissions exist in the local OS)  but we won’t let them register with commserve without proper auth code or credentials

 

during uninstall:  They would remove local binaries.  we can’t prevent them as they control the operating system.  At that time, we just record the uninstall action on CS.  It is reflective of what happened.  It is not about permissions at that point.  Even if they don’t have permissions, we would like to know.

 

Also they can uninstall without any network connectivity to commserve and we can’t stop them.  in that case, we won’t even know they uninstalled.

 

View original
Did this answer your question?

8 replies

Scott Moseman
Vaulter
Forum|alt.badge.img+18

To uninstall from the CommCell Console, you will need the necessary permissions (docs).
To uninstall locally from the client, you would need the necessary OS rights on the client.

Are you suggesting the Commvault uninstaller should reach out to the CommServe during the uninstall request and verify, I assume through Commvault roles, that the user has the necessary permissions to uninstall the software?

Thanks,
Scott
 


Forum|alt.badge.img+3
  • Vaulter
  • 11 replies
  • January 6, 2022

Scott is correct.   Local installation/uninstallation is subject to OS rights.  There is nothing that Commvault security roles can dictate.   It involves copying files and making registry entries.

 

Registering a client with Commserve (and unregistering) is already controlled by commvault security roles.


Forum|alt.badge.img+15
  • Byte
  • 386 replies
  • January 6, 2022
pgokhale wrote:

Scott is correct.   Local installation/uninstallation is subject to OS rights.  There is nothing that Commvault security roles can dictate.   It involves copying files and making registry entries.

Absolutely

pgokhale wrote:

Registering a client with Commserve (and unregistering) is already controlled by commvault security roles.

Well, to install on the OS and register a client you have to authenticate or provide a token.

But when you uninstall from the OS directly, you’re not asked to provide an auth code.

I think that’s what is highlighted by @Mohit Chordia , which I understand.

Then we may dig how useful (or painful) it would be to ask for such validation upon uninstallation.. There, my opinion is balanced… 


Mohit Chordia
Byte
Forum|alt.badge.img+11

@pgokhale @Scott Moseman 

When we install backup software on client , it asks for authentication as displayed in below screenshot but the same doesn't happen when we uninstall backup software . Is this not a concern ?

Any specific reason why the authentication is only required while installing and not during uninstallation  ?

 


Forum|alt.badge.img+3
  • Vaulter
  • 11 replies
  • January 6, 2022

During installation,  this client is a new entity.  We need to authenticate with the commserve to register the installation

 

During uninstall:  Client is already a known entity on the commserve.  when adminstrator of the client is doing the install,  we have necessary unique information to tell commserve that software was uninstalled.  We don’t need the administrator to type anything to declare that they are legit.  Having admin access to the client and removing binaries/installation is proof enough that you uninstalled.

 

Hope this helps!

 


Forum|alt.badge.img+3
  • Vaulter
  • 11 replies
  • January 6, 2022

To clarify further:

 

uninstalling software doesn’t not touch the data stored.  It simply marks the client as uninstalled.  (deconfigured).  And that is to reflect true state of the client system


Mohit Chordia
Byte
Forum|alt.badge.img+11

What is the harm in putting authentication during uninstallation as well ?

Anyone with access to machine can uninstall backup software which will impact upcoming backups ? 

 


Forum|alt.badge.img+3
  • Vaulter
  • 11 replies
  • Answer
  • January 6, 2022

We can’t  control administrators doing actual install or uninstall of software on their own client.  

 

during installation:  They install software on the client (no commvault permissions exist in the local OS)  but we won’t let them register with commserve without proper auth code or credentials

 

during uninstall:  They would remove local binaries.  we can’t prevent them as they control the operating system.  At that time, we just record the uninstall action on CS.  It is reflective of what happened.  It is not about permissions at that point.  Even if they don’t have permissions, we would like to know.

 

Also they can uninstall without any network connectivity to commserve and we can’t stop them.  in that case, we won’t even know they uninstalled.

 


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings