resticprofile icon indicating copy to clipboard operation
resticprofile copied to clipboard

Published 20 hours ago verified publisher icon creativeprojects

Clarification on using restic/resticprofile as user versus administrator?

Open rhstanton opened this issue 5 months ago • 4 comments

This is not really an issue, rather a question I haven't been able to answer for myself from the documentation. Please do redirect me if there's a more appropriate forum for this discussion.

My default resticprofile profile just backs up stuff in my home directory to the cloud. I run it, and also schedule it to run automatically, from the command line using resticprofile (not sudo resticprofile).

Now I want to use resticprofile to back up the entire hard drive of my Ubuntu machine to an external disk in case I ever need to reinstall. So the target directory is now / instead of /home/users/stanton. As a regular user, I don't have access to quite a few of these files, so what's the best way to handle creating/running a profile to do this? For example,

  1. Do I need to run resticprofile via sudo? Or is there a way to run resticprofile as usual, but telling it to run restic via sudo (or some other way to get resticprofile to do what I want without needing to use sudo)?

  2. Same question, but this time for scheduling the full backup to happen at predetermined times.

  3. If I do need to run resticprofile via sudo, how do I get resticprofile to read the default profiles.toml file in ~/.config/resticprofile? I've tried adding HOME to /etc/sudoers, but this has the downside that after I've run restic via sudo, the next time I run as a simple user, it complains about cache files that it doesn't have permission to access.

Thanks very much for any suggestions, and if all of this is out there somewhere and I've missed it, please just point me in the right direction.

Best,

Richard

rhstanton avatar Jun 13 '25 17:06 rhstanton

I do run resticprofile (and restic) as root when I need to. By that I mean manually via sudo, and also as a systemd schedule.

Now, technically, there are ways to avoid it but I never managed to get it working. It's explained in the restic documentation: https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-system-without-running-restic-as-root

I'd be very interested if you manage to get it working (for me, and for the resticprofile documentation) 👍🏻

creativeprojects avatar Jun 13 '25 19:06 creativeprojects

I'll see what I can find out. Since I'm backing up everything, it's easy enough to achieve using sudo restic (without using resticprofile at all), but it does seem more elegant to have everything in my profiles.toml file. And I do like the idea of scheduling repeated backups using resticprofile instead of doing it manually.

rhstanton avatar Jun 14 '25 00:06 rhstanton

I followed something similar to the instructions at the link you sent (though without creating a new user), giving the restic executable the right to read all files, and making it executable only by me:

sudo chown root:stanton /usr/bin/restic
sudo chmod 750 /usr/bin/restic
sudo setcap cap_dac_read_search=+ep /usr/bin/restic

Now when I run restic -r /mnt/backup backup / (no sudo, and I do exclude some directories), it seems to successfully back up all files, including system files.

That'll do for me, since I can now run everything from my user account.

(Note: this is with Ubuntu. macOS doesn't seem to have the setcap command)

rhstanton avatar Jun 14 '25 05:06 rhstanton

As it turns out, it totally works! I have no idea what I've done wrong when I tried before 🤷🏻

You don't need to give the special permission or run resticprofile as root. You just need to start resticprofile with the same user that has the read privileges granted to the restic binary.

It wouldn't work if you were to use a wildcard in the source path, like /source/root-* and maybe that's what I had wrong when I tried 🤔

creativeprojects avatar Jun 14 '25 17:06 creativeprojects