borg/docs/deployment/non-root-user.rst

.. include:: ../global.rst.inc
.. highlight:: none
.. _non_root_user:

================================
Backing up using a non-root user
================================

This section describes how to run borg as a non-root user and still be able to
backup every file on the system.

Normally borg is run as the root user to bypass all filesystem permissions and
be able to read all files. But in theory this also allows borg to modify or
delete files on your system, in case of a bug for example.

To eliminate this possibility, we can run borg as a non-root user and give it read-only
permissions to all files on the system.


Using Linux capabilities inside a systemd service
=================================================

One way to do so, is to use linux `capabilities
<https://man7.org/linux/man-pages/man7/capabilities.7.html>`_ within a systemd
service.

Linux capabilities allow us to give parts of the privileges the root user has to
a non-root user. This works on a per-thread level and does not give the permission
to the non-root user as a whole.

For this we need to run our backup script from a systemd service and use the `AmbientCapabilities
<https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#AmbientCapabilities=>`_
option added in systemd 229.

A very basic unit file would look like this:

::

    [Unit]
    Description=Borg Backup

    [Service]
    Type=oneshot
    User=borg
    ExecStart=/usr/local/sbin/backup.sh

    AmbientCapabilities=CAP_DAC_READ_SEARCH

The ``CAP_DAC_READ_SEARCH`` capability gives borg read-only access to all files and directories on the system.

This service can then be started manually using ``systemctl start``, a systemd timer or other methods.
add non-root deployment strategy 2024-02-21 11:25:48 +00:00			`.. include:: ../global.rst.inc`
			`.. highlight:: none`
			`.. _non_root_user:`

			`================================`
			`Backing up using a non-root user`
			`================================`

Apply suggestions from code review Co-authored-by: NetSysFire <59517351+NetSysFire@users.noreply.github.com> 2024-02-21 12:00:27 +00:00			`This section describes how to run borg as a non-root user and still be able to`
add non-root deployment strategy 2024-02-21 11:25:48 +00:00			`backup every file on the system.`

Apply suggestions from code review Co-authored-by: NetSysFire <59517351+NetSysFire@users.noreply.github.com> 2024-02-21 12:00:27 +00:00			`Normally borg is run as the root user to bypass all filesystem permissions and`
add non-root deployment strategy 2024-02-21 11:25:48 +00:00			`be able to read all files. But in theory this also allows borg to modify or`
Apply suggestions from code review Co-authored-by: NetSysFire <59517351+NetSysFire@users.noreply.github.com> 2024-02-21 12:00:27 +00:00			`delete files on your system, in case of a bug for example.`
add non-root deployment strategy 2024-02-21 11:25:48 +00:00
Apply suggestions from code review Co-authored-by: NetSysFire <59517351+NetSysFire@users.noreply.github.com> 2024-02-21 12:00:27 +00:00			`To eliminate this possibility, we can run borg as a non-root user and give it read-only`
add non-root deployment strategy 2024-02-21 11:25:48 +00:00			`permissions to all files on the system.`


Apply suggestions from code review Co-authored-by: NetSysFire <59517351+NetSysFire@users.noreply.github.com> 2024-02-21 12:00:27 +00:00			`Using Linux capabilities inside a systemd service`
add non-root deployment strategy 2024-02-21 11:25:48 +00:00			`=================================================`

			One way to do so, is to use linux `capabilities
			<https://man7.org/linux/man-pages/man7/capabilities.7.html>`_ within a systemd
			`service.`

			`Linux capabilities allow us to give parts of the privileges the root user has to`
			`a non-root user. This works on a per-thread level and does not give the permission`
			`to the non-root user as a whole.`

			For this we need to run our backup script from a systemd service and use the `AmbientCapabilities
			<https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#AmbientCapabilities=>`_
			`option added in systemd 229.`

			`A very basic unit file would look like this:`

			`::`

			`[Unit]`
			`Description=Borg Backup`

			`[Service]`
			`Type=oneshot`
			`User=borg`
			`ExecStart=/usr/local/sbin/backup.sh`

			`AmbientCapabilities=CAP_DAC_READ_SEARCH`

Apply suggestions from code review Co-authored-by: NetSysFire <59517351+NetSysFire@users.noreply.github.com> 2024-02-21 12:00:27 +00:00			The ``CAP_DAC_READ_SEARCH`` capability gives borg read-only access to all files and directories on the system.
add non-root deployment strategy 2024-02-21 11:25:48 +00:00
Apply suggestions from code review Co-authored-by: NetSysFire <59517351+NetSysFire@users.noreply.github.com> 2024-02-21 12:00:27 +00:00			This service can then be started manually using ``systemctl start``, a systemd timer or other methods.