mirror of
https://github.com/borgbackup/borg.git
synced 2025-02-28 00:36:33 +00:00
add non-root deployment strategy
This commit is contained in:
Stephan Herbers
parent
7074c0220b
commit
a06c42cf1f
2 changed files with 52 additions and 0 deletions
|
|
@ -14,3 +14,4 @@ This chapter details deployment strategies for the following scenarios.
|
|||
deployment/automated-local
|
||||
deployment/image-backup
|
||||
deployment/pull-backup
|
||||
deployment/non-root-user
|
||||
|
|
|
|||
51
docs/deployment/non-root-user.rst
Normal file
51
docs/deployment/non-root-user.rst
Normal file
|
|
@ -0,0 +1,51 @@
|
|||
.. include:: ../global.rst.inc
|
||||
.. highlight:: none
|
||||
.. _non_root_user:
|
||||
|
||||
================================
|
||||
Backing up using a non-root user
|
||||
================================
|
||||
|
||||
This section shows how to run borg as a non-root user and still be able to
|
||||
backup every file on the system.
|
||||
|
||||
Normally borg is run as the root user to bypass all filesystem permission and
|
||||
be able to read all files. But in theory this also allows borg to modify or
|
||||
delete files on you system, incase of a bug for example.
|
||||
|
||||
To remove this possible we can run borg as a non-root user and give it readonly
|
||||
permissions to all files on the system.
|
||||
|
||||
|
||||
Using linux capabilities inside a systemd service
|
||||
=================================================
|
||||
|
||||
One way to do so, is to use linux `capabilities
|
||||
<https://man7.org/linux/man-pages/man7/capabilities.7.html>`_ within a systemd
|
||||
service.
|
||||
|
||||
Linux capabilities allow us to give parts of the privileges the root user has to
|
||||
a non-root user. This works on a per-thread level and does not give the permission
|
||||
to the non-root user as a whole.
|
||||
|
||||
For this we need to run our backup script from a systemd service and use the `AmbientCapabilities
|
||||
<https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#AmbientCapabilities=>`_
|
||||
option added in systemd 229.
|
||||
|
||||
A very basic unit file would look like this:
|
||||
|
||||
::
|
||||
|
||||
[Unit]
|
||||
Description=Borg Backup
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
User=borg
|
||||
ExecStart=/usr/local/sbin/backup.sh
|
||||
|
||||
AmbientCapabilities=CAP_DAC_READ_SEARCH
|
||||
|
||||
The CAP_DAC_READ_SEARCH capability gives borg readonly access to all files and directories on the system.
|
||||
|
||||
This service can then be started manually using ``systemctl start`` or regularly with a systemd timer.
|
||||
Loading…
Reference in a new issue