-
-
Notifications
You must be signed in to change notification settings - Fork 729
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Storing [BORG_CACHE_DIR|BORG_SECURITY_DIR] files as a non-root user while being able to backup files owned by root? #8044
Comments
borg does not do tricks concerning storing files as another user. if you need to access files of multiple users, system files, etc. just run borg as root and it will work. setuid only works for binaries (didn't try the pyinstaller-made binaries though). there is also a method using capabilities, see the ticket about that. |
I do exactly that using linux capabilities: https://man7.org/linux/man-pages/man7/capabilities.7.html I add those via a systemd service that actually runs the backup. Basic systemd service:
This will run the backup script as the non-root user borg, but while running inside this service the script and thus the borg binary being called has the CAP_DAC_READ_SEARCH capability. CAP_DAC_READ_SEARCH gives you read-only access to all directories and all files, ignoring all other filesystem permissions. |
@stephan13360 can you check our docs if we already have something like that (iirc: no) and if not, make a PR against 1.4-maint branch? Guess that would help a lot of users. |
Hello!
Have you checked borgbackup docs, FAQ, and open GitHub issues?
Honestly, no: I think this might be outside of Borg's scope (or not... ^^).
Is this a BUG / ISSUE report or a QUESTION?
Question.
Your borg version (borg -V).
borg-linuxold64 1.2.7 (standalone binary)
Operating system (distribution) and version.
OpenVZ 7 => ldd (GNU libc) 2.17 (yes, you read it right...)
Long story short 1
I would like to run Borg (create) as an unprivileged user (eq: borg-backup => uid 6666).
But I also need Borg to backup files owned by root (--stdin-user USER might help but not convenient).
Long story short 2
I need files present in [BORG_CACHE_DIR|BORG_SECURITY_DIR] to be owned by a non-root user (eg: borg-backup)
But I also need to run Borg using a script executed by "root" or "borg-backup" (uid 6666).
Long story short 3
I tried "Setgid bit" (Borg binaries and tgz), tried "sudo -u borg-backup -- borg-linuxold64" and some other stupid things...
Is there a clean way to invoke Borg to store internal data (config/cache/security) as a normal user while being able to save some files owned by root?
Please, feel free to send me a RTFM and close this issue if I missed something.
Have a great night!
The text was updated successfully, but these errors were encountered: