mirror
/
borg
mirror of https://github.com/borgbackup/borg.git
1
0
Fork 0
Code Issues Releases Wiki Activity

add non-root deployment strategy

This commit is contained in:
Stephan Herbers 2024-02-21 12:25:48 +01:00
parent 7074c0220b
commit a06c42cf1f
2 changed files with 52 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/deployment.rst
View File

@ -14,3 +14,4 @@ This chapter details deployment strategies for the following scenarios.
deployment/automated-local
deployment/image-backup
deployment/pull-backup
deployment/non-root-user

51
docs/deployment/non-root-user.rst Normal file
View File

@ -0,0 +1,51 @@
.. include:: ../global.rst.inc
.. highlight:: none
.. _non_root_user:
================================
Backing up using a non-root user
================================
This section shows how to run borg as a non-root user and still be able to
backup every file on the system.
Normally borg is run as the root user to bypass all filesystem permission and
be able to read all files. But in theory this also allows borg to modify or
delete files on you system, incase of a bug for example.
To remove this possible we can run borg as a non-root user and give it readonly
permissions to all files on the system.
Using linux capabilities inside a systemd service
=================================================
One way to do so, is to use linux `capabilities
<https://man7.org/linux/man-pages/man7/capabilities.7.html>`_ within a systemd
service.
Linux capabilities allow us to give parts of the privileges the root user has to
a non-root user. This works on a per-thread level and does not give the permission
to the non-root user as a whole.
For this we need to run our backup script from a systemd service and use the `AmbientCapabilities
<https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#AmbientCapabilities=>`_
option added in systemd 229.
A very basic unit file would look like this:
::
[Unit]
Description=Borg Backup
[Service]
Type=oneshot
User=borg
ExecStart=/usr/local/sbin/backup.sh
AmbientCapabilities=CAP_DAC_READ_SEARCH
The CAP_DAC_READ_SEARCH capability gives borg readonly access to all files and directories on the system.
This service can then be started manually using ``systemctl start`` or regularly with a systemd timer.