Backing up privileged files

Having now got all my backups for my media files on my NAS sorted, I’m now trying to do a restic backup from my local desktop to my NAS and I want to make sure all my config files in /etc are backed up. Th easiest way to do this seems to be to run restic using sudo. Are there any implications to having root controlled files in the repo?

This seems to be best answered with this: http://restic.readthedocs.io/en/stable/design.html#threat-model

There are two different things at play here:

  • Saving files only available to root, like /etc/shadow. That must be achieved by running restic as root (or give it appropriate capabilities), there’s no way around it.
  • Creating new files within a repo as a different user, which may become an issue when you run other restic commands as a different user. For example, if you run restic mount as a normal user, it may happen that this user is not allowed to read a file in the repo created by root. That probably won’t work.

So, there’s no good solution for a local repo. I’m leaning towards running all restic commands as root, because otherwise an unprivileged user can read data from the repo, which includes privileged files (like the shadow file), this may lead to privilege escalation.

@fd0 I’ve been running backups as root, but when restoring that creates some issues.

The restore job has to be run as root, which means that all of the files that it restores will be created as with the root user as the owner, not the owner of the original file.
This is a bit of an issue, and I haven’t figured out a good solution to this other than manually chown-ing all of the restored directories, which is rather inconvenient and sometimes causes issues when original owners of file are all of the place.

1 Like

Have you actually tried this? Ownership and permission information is included in the snapshot (in the tree objects, to be precise) and this information should be preserved when performing a restore.

The problem I found is that the permissions are set only at the end of the restore. If for some reason the restore is aborted the permissions and ownership are not set.

Wouldn’t it make sense to add a hint about restore in the “Backing up your system without running restic as root” docs page? With using a restic user, I get user/group restored only with sudo setcap "cap_dac_override+ep cap_chown+ep" <path_to_restic>.

For the records: restic also restores permissions (except a file only readable by root gets read/write), and it restores timestamps - except if you restore a single file, in that case seems to use the current time.

restic 0.9.6 (v0.9.6-160-gf033850a) compiled with go1.13.5 on linux/amd64