Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Storing [BORG_CACHE_DIR|BORG_SECURITY_DIR] files as a non-root user while being able to backup files owned by root? #8044

Open
trendymail opened this issue Jan 14, 2024 · 4 comments
Open

Storing [BORG_CACHE_DIR|BORG_SECURITY_DIR] files as a non-root user while being able to backup files owned by root? #8044

trendymail opened this issue Jan 14, 2024 · 4 comments
Labels
question

Comments

@trendymail
Copy link

Hello!

Have you checked borgbackup docs, FAQ, and open GitHub issues?

Honestly, no: I think this might be outside of Borg's scope (or not... ^^).

Is this a BUG / ISSUE report or a QUESTION?

Question.

Your borg version (borg -V).

borg-linuxold64 1.2.7 (standalone binary)

Operating system (distribution) and version.

OpenVZ 7 => ldd (GNU libc) 2.17 (yes, you read it right...)

Long story short 1

I would like to run Borg (create) as an unprivileged user (eq: borg-backup => uid 6666).

But I also need Borg to backup files owned by root (--stdin-user USER might help but not convenient).

Long story short 2

I need files present in [BORG_CACHE_DIR|BORG_SECURITY_DIR] to be owned by a non-root user (eg: borg-backup)

But I also need to run Borg using a script executed by "root" or "borg-backup" (uid 6666).

Long story short 3

I tried "Setgid bit" (Borg binaries and tgz), tried "sudo -u borg-backup -- borg-linuxold64" and some other stupid things...

Is there a clean way to invoke Borg to store internal data (config/cache/security) as a normal user while being able to save some files owned by root?

Please, feel free to send me a RTFM and close this issue if I missed something.

Have a great night!
@ThomasWaldmann
Copy link
Member

borg does not do tricks concerning storing files as another user.

if you need to access files of multiple users, system files, etc. just run borg as root and it will work.

setuid only works for binaries (didn't try the pyinstaller-made binaries though).

there is also a method using capabilities, see the ticket about that.

@stephan13360
Copy link
Contributor

I do exactly that using linux capabilities: https://man7.org/linux/man-pages/man7/capabilities.7.html

I add those via a systemd service that actually runs the backup.

Basic systemd service:

[Unit]
Description=Borg Backup

[Service]
Type=oneshot
User=borg
ExecStart=/usr/local/sbin/backup.sh

# capabilities
AmbientCapabilities=CAP_DAC_READ_SEARCH

This will run the backup script as the non-root user borg, but while running inside this service the script and thus the borg binary being called has the CAP_DAC_READ_SEARCH capability.

CAP_DAC_READ_SEARCH gives you read-only access to all directories and all files, ignoring all other filesystem permissions.

@ThomasWaldmann
Copy link
Member

@stephan13360 can you check our docs if we already have something like that (iirc: no) and if not, make a PR against 1.4-maint branch? Guess that would help a lot of users.

@stephan13360
Copy link
Contributor

#8114

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ThomasWaldmann @stephan13360 @trendymail