From 96ae9f73ebf25ae6740efb508ec4aaec242ecd17 Mon Sep 17 00:00:00 2001 From: Stephan Herbers Date: Wed, 21 Feb 2024 13:00:27 +0100 Subject: [PATCH] Apply suggestions from code review Co-authored-by: NetSysFire <59517351+NetSysFire@users.noreply.github.com> --- docs/deployment/non-root-user.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/deployment/non-root-user.rst b/docs/deployment/non-root-user.rst index 824cf6c1..7c269aeb 100644 --- a/docs/deployment/non-root-user.rst +++ b/docs/deployment/non-root-user.rst @@ -6,18 +6,18 @@ Backing up using a non-root user ================================ -This section shows how to run borg as a non-root user and still be able to +This section describes how to run borg as a non-root user and still be able to backup every file on the system. -Normally borg is run as the root user to bypass all filesystem permission and +Normally borg is run as the root user to bypass all filesystem permissions and be able to read all files. But in theory this also allows borg to modify or -delete files on you system, incase of a bug for example. +delete files on your system, in case of a bug for example. -To remove this possible we can run borg as a non-root user and give it readonly +To eliminate this possibility, we can run borg as a non-root user and give it read-only permissions to all files on the system. -Using linux capabilities inside a systemd service +Using Linux capabilities inside a systemd service ================================================= One way to do so, is to use linux `capabilities @@ -46,6 +46,6 @@ A very basic unit file would look like this: AmbientCapabilities=CAP_DAC_READ_SEARCH -The CAP_DAC_READ_SEARCH capability gives borg readonly access to all files and directories on the system. +The ``CAP_DAC_READ_SEARCH`` capability gives borg read-only access to all files and directories on the system. -This service can then be started manually using ``systemctl start`` or regularly with a systemd timer. +This service can then be started manually using ``systemctl start``, a systemd timer or other methods.