First of all, a big thank you to all the devs and contributors for this pretty amazing piece of software!
For various reasons, I would like to use restic in append-only mode (in case client gets compromised), with sftp only (no clone or restic server)
I have tried to run the sftp server with only the following commands whitelisted:
open,close,read,write,lstat,fstat,opendir,readdir,mkdir,realpath,stat,fsync,fsetstat,rename
And then I run the restic commands with –-no-lock (I understand I do not allow the delete permission necessary to delete the lock file).
I noticed the following:
restic snapshosts –-no-lock works with no error message
restic backup –-no-lock works, but unexpectedly complains about being unable to delete the lock file, with the following message:
processed 1 files, 0 B in 0:04
snapshot eaeff1c3 saved
Remove(<lock/53b3c4dea4>) failed: Remove /home/repo/locks/ea4b7162b7a2a139a2eca867c166f53b701: remove /home/repo/locks/ea4b7162b7a2a139a2eca867c166f53b701: permission denied
restic restore --no-lock works with no error message
On the side of the sftp server, for these 3 commands, I see a bunch of error messages, all explaining that restic is trying to use some non-whitelisted instructions.
So if I ignore the error message, it seems to all work fine.
Can someone explain to me why backup --no-lock still complain about not being able to delete the lock file?
Also, and most importantly, is this setup ok to use, or am I shooting myself in the foot in a subtle way?
Thanks!