Right now I’m mostly experimenting with this to learn how it works.
The patch below makes similar changes as PR 246 and 249 but also adds a few other.
This is currently just an experiment, so it’s not ready to become a PR.
On a Fedora CoreOS VM this worked:
- install rest-server binary to
/var/usrlocal/bin/rest-server
sudo mkdir /var/usrlocal/backups
sudo chmod 700 /var/usrlocal/backups
sudo chown www-data:www-data /var/usrlocal/backups
- Install
/etc/systemd/system/rest-server.service
and/etc/systemd/system/rest-server.socket
(see the patch for rest-server.service below) sudo useradd test
sudo machinectl shell test
mkdir ~/mydata
echo hello > ~/mydata/file.txt
restic -r rest:http://127.0.0.1:8080 init
restic -r rest:http://127.0.0.1:8080/ --verbose backup ~/mydata
restic -r rest:http://127.0.0.1:8080/ --verbose snapshots
patch for rest-server.service
--- a/examples/systemd/rest-server.service
+++ b/examples/systemd/rest-server.service
@@ -5,15 +5,18 @@ After=network.target
# if you want to use socket activation, make sure to require the socket here
#Requires=rest-server.socket
+Requires=rest-server.socket
+After=rest-server.socket
[Service]
Type=simple
# You may prefer to use a different user or group on your system.
User=www-data
Group=www-data
-ExecStart=/usr/local/bin/rest-server --path /path/to/backups
+ExecStart=/bin/rest-server --path /backups --no-auth --debug
Restart=always
RestartSec=5
+RootDirectory=/var/usrlocal
# The following options are available (in systemd v247) to restrict the
# actions of the rest-server.
@@ -25,10 +28,10 @@ RestartSec=5
# IMPORTANT!
# The following line must be customised to your individual requirements.
-ReadWritePaths=/path/to/backups
+ReadWritePaths=/var/usrlocal/backups
# Makes created files group-readable, but inaccessible by others
-UMask=027
+UMask=077
# If your system doesn't support all of the features below (e.g. because of
# the use of an older version of systemd), you may wish to comment-out
@@ -38,8 +41,12 @@ LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=yes
PrivateTmp=yes
+
+PrivateNetwork=yes
+
PrivateDevices=true
PrivateUsers=true
+ProcSubset=pid
ProtectSystem=strict
ProtectHome=yes
ProtectClock=true
@@ -51,13 +58,14 @@ ProtectProc=invisible
ProtectHostname=true
RemoveIPC=true
RestrictNamespaces=true
-RestrictAddressFamilies=AF_INET AF_INET6
+RestrictAddressFamilies=none
RestrictSUIDSGID=true
RestrictRealtime=true
# if your service crashes with "code=killed, status=31/SYS", you probably tried to run linux_i386 (32bit) binary on a amd64 host
SystemCallArchitectures=native
SystemCallFilter=@system-service
+SystemCallFilter=~@resources
+SystemCallFilter=~@privileged
# Additionally, you may wish to use some of the systemd options documented in
# systemd.resource-control(5) to limit the CPU, memory, file-system I/O and
# network I/O that the rest-server is permitted to consume according to the
Result: It seems to work.
The output from the last command was
enter password for repository:
repository 085b1e3b opened (version 2, compression level auto)
ID Time Host Tags Paths
-----------------------------------------------------------------------------------------
26d74fdf 2023-07-18 07:36:53 localhost.localdomain /var/home/test/mydata
-----------------------------------------------------------------------------------------
1 snapshots