borg icon indicating copy to clipboard operation
borg copied to clipboard

Published 20 hours ago verified publisher icon borgbackup

Storing [BORG_CACHE_DIR|BORG_SECURITY_DIR] files as a non-root user while being able to backup files owned by root?

Open trendymail opened this issue 1 year ago • 4 comments

Hello!

Have you checked borgbackup docs, FAQ, and open GitHub issues?

Honestly, no: I think this might be outside of Borg's scope (or not... ^^).

Is this a BUG / ISSUE report or a QUESTION?

Question.

Your borg version (borg -V).

borg-linuxold64 1.2.7 (standalone binary)

Operating system (distribution) and version.

OpenVZ 7 => ldd (GNU libc) 2.17 (yes, you read it right...)

Long story short 1

I would like to run Borg (create) as an unprivileged user (eq: borg-backup => uid 6666).

But I also need Borg to backup files owned by root (--stdin-user USER might help but not convenient).

Long story short 2

I need files present in [BORG_CACHE_DIR|BORG_SECURITY_DIR] to be owned by a non-root user (eg: borg-backup)

But I also need to run Borg using a script executed by "root" or "borg-backup" (uid 6666).

Long story short 3

I tried "Setgid bit" (Borg binaries and tgz), tried "sudo -u borg-backup -- borg-linuxold64" and some other stupid things...

Is there a clean way to invoke Borg to store internal data (config/cache/security) as a normal user while being able to save some files owned by root?

Please, feel free to send me a RTFM and close this issue if I missed something.

Have a great night!

trendymail avatar Jan 14 '24 00:01 trendymail

borg does not do tricks concerning storing files as another user.

if you need to access files of multiple users, system files, etc. just run borg as root and it will work.

setuid only works for binaries (didn't try the pyinstaller-made binaries though).

there is also a method using capabilities, see the ticket about that.

ThomasWaldmann avatar Jan 14 '24 12:01 ThomasWaldmann

I do exactly that using linux capabilities: https://man7.org/linux/man-pages/man7/capabilities.7.html

I add those via a systemd service that actually runs the backup.

Basic systemd service:

[Unit]
Description=Borg Backup

[Service]
Type=oneshot
User=borg
ExecStart=/usr/local/sbin/backup.sh

# capabilities
AmbientCapabilities=CAP_DAC_READ_SEARCH

This will run the backup script as the non-root user borg, but while running inside this service the script and thus the borg binary being called has the CAP_DAC_READ_SEARCH capability.

CAP_DAC_READ_SEARCH gives you read-only access to all directories and all files, ignoring all other filesystem permissions.

stephan13360 avatar Feb 20 '24 16:02 stephan13360

@stephan13360 can you check our docs if we already have something like that (iirc: no) and if not, make a PR against 1.4-maint branch? Guess that would help a lot of users.

ThomasWaldmann avatar Feb 20 '24 16:02 ThomasWaldmann

https://github.com/borgbackup/borg/pull/8114

stephan13360 avatar Feb 21 '24 11:02 stephan13360