+11Hi Community ,
As a security ask , can we implement Commvault user authentication while installing or uninstalling cv software either locally or through console ?
I observe that while installing CV software locally , user authentication is required but while uninstalling there is no authentication requirement. Let me know if this is done for a purpose?
Best answer by pgokhale
We can’t control administrators doing actual install or uninstall of software on their own client.
during installation: They install software on the client (no commvault permissions exist in the local OS) but we won’t let them register with commserve without proper auth code or credentials
during uninstall: They would remove local binaries. we can’t prevent them as they control the operating system. At that time, we just record the uninstall action on CS. It is reflective of what happened. It is not about permissions at that point. Even if they don’t have permissions, we would like to know.
Also they can uninstall without any network connectivity to commserve and we can’t stop them. in that case, we won’t even know they uninstalled.
+18To uninstall from the CommCell Console, you will need the necessary permissions (docs).
To uninstall locally from the client, you would need the necessary OS rights on the client.
Are you suggesting the Commvault uninstaller should reach out to the CommServe during the uninstall request and verify, I assume through Commvault roles, that the user has the necessary permissions to uninstall the software?
Thanks,
Scott
Scott is correct. Local installation/uninstallation is subject to OS rights. There is nothing that Commvault security roles can dictate. It involves copying files and making registry entries.
Registering a client with Commserve (and unregistering) is already controlled by commvault security roles.
Scott is correct. Local installation/uninstallation is subject to OS rights. There is nothing that Commvault security roles can dictate. It involves copying files and making registry entries.
Absolutely
Registering a client with Commserve (and unregistering) is already controlled by commvault security roles.
Well, to install on the OS and register a client you have to authenticate or provide a token.
But when you uninstall from the OS directly, you’re not asked to provide an auth code.
I think that’s what is highlighted by
Then we may dig how useful (or painful) it would be to ask for such validation upon uninstallation.. There, my opinion is balanced…
+11When we install backup software on client , it asks for authentication as displayed in below screenshot but the same doesn't happen when we uninstall backup software . Is this not a concern ?
Any specific reason why the authentication is only required while installing and not during uninstallation ?
During installation, this client is a new entity. We need to authenticate with the commserve to register the installation
During uninstall: Client is already a known entity on the commserve. when adminstrator of the client is doing the install, we have necessary unique information to tell commserve that software was uninstalled. We don’t need the administrator to type anything to declare that they are legit. Having admin access to the client and removing binaries/installation is proof enough that you uninstalled.
Hope this helps!
To clarify further:
uninstalling software doesn’t not touch the data stored. It simply marks the client as uninstalled. (deconfigured). And that is to reflect true state of the client system
+11What is the harm in putting authentication during uninstallation as well ?
Anyone with access to machine can uninstall backup software which will impact upcoming backups ?
We can’t control administrators doing actual install or uninstall of software on their own client.
during installation: They install software on the client (no commvault permissions exist in the local OS) but we won’t let them register with commserve without proper auth code or credentials
during uninstall: They would remove local binaries. we can’t prevent them as they control the operating system. At that time, we just record the uninstall action on CS. It is reflective of what happened. It is not about permissions at that point. Even if they don’t have permissions, we would like to know.
Also they can uninstall without any network connectivity to commserve and we can’t stop them. in that case, we won’t even know they uninstalled.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
