Execution as unprivileged users to perform a complete backup in conflict with Linux permissions

Hey, thank you Restic founder to welcome me as member of that community. As part of my initiation to a project related to Restic that I assigned to myself, I attempted to achieve a complete backup of a Linux Fedora system as an unprivileged user –named citser– to an external local drive. My inspiration had its source in section Backing up your system without running restic as root.

Involved external drive aimed to receive the backup has those capabilities:

$ mount | fgrep /run/media/$USER
/dev/mapper/luks-70ede6de-2bdb-433a-8ee4-f97cd4ef711a on /run/media/yk/ULKO type ext4 (rw,nosuid,nodev,relatime,seclabel,uhelper=udisks2)

Here is how I proceeded to get the binary:

$ go version
go version go1.12.7 linux/amd64
# sudo su && export GOOS=linux GOARCH=amd64 go build; go env
# useradd -m citser -p password; mkdir -p ~citser/{bin,restic}; cd ~citser/restic/; git clone https://github.com/restic/restic.git .
# chown citser:citser ../{bin,restic}/; chmod 750 ../{bin,restic}/; chmod +x build.go
# go run -mod=vendor build.go -o ../bin/restic
# cd ../bin/; chown root:citser restic ; chmod 750 restic

At the present state, binary restic is expected to have adequate permissions set, since instructions from the documentation have been observed:

# setcap cap_dac_read_search=+ep restic
# export RESTIC_REPOSITORY=/run/media/U/USB/Fedora/ RESTIC_PASSWORD=password
# restic init && cd /run/media/U/USB/
# chown -R root:citser Fedora/; chmod -R 770 Fedora/;ls -l Fedora/; exit
[...]
-rwxrwx---.   1 root citser  155 20. 8. 13:07 config
drwxrwx---. 258 root citser 4096 20. 8. 13:07 data
drwxrwx---.   2 root citser 4096 20. 8. 13:07 index
drwxrwx---.   2 root citser 4096 20. 8. 13:07 keys
drwxrwx---.   2 root citser 4096 20. 8. 13:07 locks
drwxrwx---.   2 root citser 4096 20. 8. 13:07 snapshots

Unprivileged user is expected to have enough access permissions in order to complete a backup:

$ su - citser
$ export RESTIC_REPOSITORY=/run/media/U/USB/Fedora/ RESTIC_PASSWORD=password; cd ~/bin/
$ restic --exclude={/dev,/media,/mnt,/proc,/run,/sys,/tmp,/var/tmp,$RESTIC_REPOSITORY} backup /
Fatal: unable to open repo at /run/media/U/USB/Fedora/: ReadDir: open /run/media/U/USB/Fedora/keys: permission denied

I must lack knowledge to interpret the STDERR. since I was unable to conceive a way to improve the troubleshooting I was performing. Such a report might not be eligible as a proper discussion, since I might have misconceived a critical procedure. An advice from a Restic veteran would be much appreciated.

As this is a Fedora system, SELinux is propably enabled. Can you please setenforce 0 and try again, just to make sure it’s not related to SELinux?

Hey, good intuition; indeed SELinux is enabled.

$ sestatus -v | sed -n '1p;5,8p'
SELinux status:                 enabled
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
# setenforce 0; sestatus -v | sed -n '1p;5p'
SELinux status:                 enabled
Current mode:                   permissive

SELinux is then not involved in current state despite of having been set to Permissive mode as current error message is reproduced. Unexpectedly attempts to access backup directory ares also denied

[citser@localhost bin]$ restic --exclude={/dev,/media,/mnt,/proc,/run,/sys,/tmp,/var/tmp,$RESTIC_REPOSITORY} backup /
Fatal: unable to open repo at /run/media/yk/USB/Fedora/: ReadDir: open /run/media/yk/USB/Fedora/keys: permission denied
$ ls -l /run/media/yk/USB/Fedora/
ls: cannot access '/run/media/yk/USB/Fedora/': Permission denied

Can you try running restic with strace, so we can see what’s going on? I don’t know if/how capabilities work if strace is involved…

Current service’s interface seems to be lacking a way to upload a file resulting from execution of that command:

[citser@localhost bin]$ strace restic --exclude={/dev,/media,/mnt,/proc,/run,/sys,/tmp,/var/tmp,$RESTIC_REPOSITORY} backup / 2>non-root_restic

The error from ls indicates that the user is missing permission on the repo directory itself. You haven’t shown us those permissions, only the permissions on its contents. What does this command say?

ls -ld /run/media/yk/USB/Fedora

Hey. Expressions /yk/ were aimed to be replaced for publication by /U/; some have been omitted. In previous command I used option -R –operate recursively–; as expected, owner, group and permissions are according to that command:

# ls -ld /run/media/U/USB/Fedora/
drwxrwx---. 7 root citser 4096 21. 8. 11:48 /run/media/yk/USB/Fedora

It’s a long shot, but is the user actually in the group with the same name? Can you show us the output of these two commands as citser?

ls -l /run/media/U/USB/Fedora/
id

Other than ACLs or SELinux, I can’t think of what would cause this kind of error unless the filesystem driver has something to do with it, for example NFS or sshfs and the remote is what’s raising the error.

It seems to me that binary created is not expected to be as statically linked.

$ file -b /home/citser/bin/restic 
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=7_rvHi_Ik-ahbllgZ6j2/fLeOTVZd5StOPjbCAtC8/mLQxYmwCgo6S5QteYWpG/993eTl1V4iTSB4xlJfsy, stripped

[citser@localhost ~]$ ls -l /run/media/U/USB/Fedora/
ls: cannot access '/run/media/U/USB/Fedora/': Permission denied
$ id
uid=1001(citser) gid=1001(citser) groups=1001(citser) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

That’s not true. Go binaries are typically statically-linked.

I’m out of ideas then. There’s something else going on here because the permissions appear to be correctly set. What type of filesystem is /run/media/U/USB/Fedora/ and is it local to the machine where restic is running?

What makes you think the binary is not statically linked? It looks like file explicitly told you that: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked.

If you run ldd on it you should see the following:

$ ldd restic
not a dynamic executable

I don’t think this is causing your problem. It still feels to me that this is not a bug or issue within restic

A couple of more things come to my mind:

• Who mounted the USB drive? Did that component (if it was automatically mounted) maybe set up some ACL so that only the user currently logged in can access it?
• Try ls again for the parent directories of the path as user citser, when you can list a directory, have a look at the ACL of the subdir that you cannot list (using getfacl)

External drive was not mounted manually which would mean it was mounted automatically. I am not aware of a command that would produce such information. Non-root user is able to list using lsfrom /run/media/ and above, then up to /, but none of /run/media/sub-directories.

[citser@localhost ~]$ getfacl /run/media/yk/
getfacl: Removing leading '/' from absolute path names
# file: run/media/yk/
# owner: root
# group: root
user::rwx
user:yk:r-x
group::---
mask::r-x
other::---
[root@localhost yk]# getfacl /run/media/yk/USB/Fedora/keys/
getfacl: Removing leading '/' from absolute path names
# file: run/media/yk/USB/Fedora/keys/
# owner: root
# group: citser
user::rwx
group::rwx
other::---

I wish I could send an output from strace [...]

It is worth seeking exclusively from man-pages:

$ lsblk -o name,path,maj:min,fstype,mountpoint,pttype,ro,rm,hotplug,size,owner,group,tran,mode
NAME            PATH                    MAJ:MIN FSTYPE      MOUNTPOINT              PTTYPE RO RM HOTPLUG   SIZE OWNER GROUP TRAN   MODE
[...]
sdc             /dev/sdc                  8:32                                      dos     0  0       1 465,8G             usb    brw-rw----
└─sdc1          /dev/sdc1                 8:33  ext4        /run/media/yk/USB       dos     0  0       1 465,8G                    brw-rw----

strace required write permission to perform file creation in /home/citser/bin/.
` chmod g+w /home/citser/bin/

Here is a sample of non-root_restic. Repetitions of sequence of patterns are mentioned as

[...]
"
<sequences-of-patterns>
"

execve("/usr/bin/restic", ["restic", "--exclude=/dev", "--exclude=/media", "--exclude=/mnt", "--exclude=/proc", "--exclude=/run", "--exclude=/sys", "--exclude=/tmp", "--exclude=/var/tmp", "--exclude=/run/media/yk/USB/Fedo"..., "backup", "/"], 0x7ffdfbc0e378 /* 35 vars */) = 0
brk(NULL)                               = 0x55563969d000
arch_prctl(0x3001 /* ARCH_??? */, 0x7ffdc2f6ecf0) = -1 EINVAL (Virheellinen argumentti)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (Tiedostoa tai hakemistoa ei ole)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=98939, ...}) = 0
mmap(NULL, 98939, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f0c75315000
close(3)                                = 0
openat(AT_FDCWD, "/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20r\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=830752, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0c75313000
lseek(3, 808, SEEK_SET)                 = 808
read(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32) = 32
mmap(NULL, 132288, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f0c752f2000
mmap(0x7f0c752f8000, 61440, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f0c752f8000
mmap(0x7f0c75307000, 24576, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7f0c75307000
mmap(0x7f0c7530d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a000) = 0x7f0c7530d000
mmap(0x7f0c7530f000, 13504, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f0c7530f000
close(3)                                = 0
openat(AT_FDCWD, "/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@@\2\0\0\0\0\0"..., 832) = 832
lseek(3, 792, SEEK_SET)                 = 792
read(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\304\206x\335gRZ\226\217\200\373\365y >{"..., 68) = 68
fstat(3, {st_mode=S_IFREG|0755, st_size=6699224, ...}) = 0
lseek(3, 792, SEEK_SET)                 = 792
read(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\304\206x\335gRZ\226\217\200\373\365y >{"..., 68) = 68
lseek(3, 864, SEEK_SET)                 = 864
read(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32) = 32
mmap(NULL, 1857568, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f0c7512c000
mprotect(0x7f0c7514e000, 1679360, PROT_NONE) = 0
mmap(0x7f0c7514e000, 1363968, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x22000) = 0x7f0c7514e000
mmap(0x7f0c7529b000, 311296, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16f000) = 0x7f0c7529b000
mmap(0x7f0c752e8000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1bb000) = 0x7f0c752e8000
mmap(0x7f0c752ee000, 14368, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f0c752ee000
close(3)                                = 0
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0c75129000
arch_prctl(ARCH_SET_FS, 0x7f0c75129740) = 0
mprotect(0x7f0c752e8000, 16384, PROT_READ) = 0
mprotect(0x7f0c7530d000, 4096, PROT_READ) = 0
mprotect(0x555637b4e000, 8331264, PROT_READ) = 0
mprotect(0x7f0c75358000, 4096, PROT_READ) = 0
munmap(0x7f0c75315000, 98939)           = 0
set_tid_address(0x7f0c75129a10)         = 2657
set_robust_list(0x7f0c75129a20, 24)     = 0
rt_sigaction(SIGRTMIN, {sa_handler=0x7f0c752f8c50, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f0c75304e80}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x7f0c752f8cf0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f0c75304e80}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
brk(NULL)                               = 0x55563969d000
brk(0x5556396be000)                     = 0x5556396be000
brk(NULL)                               = 0x5556396be000
sched_getaffinity(0, 8192, [0, 1])      = 8
mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0c750e9000
mmap(0xc000000000, 67108864, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xc000000000
mmap(0xc000000000, 67108864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xc000000000
mmap(NULL, 33554432, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0c730e9000
mmap(NULL, 2164736, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0c72ed8000
mmap(NULL, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0c7531e000
clock_gettime(CLOCK_MONOTONIC, {tv_sec=2640, tv_nsec=537022778}) = 0
mmap(NULL, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0c72ec8000
clock_gettime(CLOCK_MONOTONIC, {tv_sec=2640, tv_nsec=537177758}) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=2640, tv_nsec=537234539}) = 0
rt_sigprocmask(SIG_SETMASK, NULL, [], 8) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=2640, tv_nsec=537633757}) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=2640, tv_nsec=537690609}) = 0
sigaltstack(NULL, {ss_sp=NULL, ss_flags=SS_DISABLE, ss_size=0}) = 0
sigaltstack({ss_sp=0xc000002000, ss_flags=0, ss_size=32768}, NULL) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
gettid()                                = 2657
rt_sigaction(SIGHUP, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGHUP, {sa_handler=0x55563739d720, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f0c75304e80}, NULL, 8) = 0
[...]
"
rt_sigaction(SIGHUP, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGHUP, {sa_handler=0x55563739d720, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f0c75304e80}, NULL, 8) = 0
"
rt_sigaction(SIGRT_2, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_2, {sa_handler=0x55563739d720, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f0c75304e80}, NULL, 8) = 0
[...]
"
rt_sigaction(SIGRT_2, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_2, {sa_handler=0x55563739d720, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f0c75304e80}, NULL, 8) = 0
"
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f0c726c7000
mprotect(0x7f0c726c8000, 8388608, PROT_READ|PROT_WRITE) = 0
clone(child_stack=0x7f0c72ec6fb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[2658], tls=0x7f0c72ec7700, child_tidptr=0x7f0c72ec79d0) = 2658
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f0c71ec6000
mprotect(0x7f0c71ec7000, 8388608, PROT_READ|PROT_WRITE) = 0
clone(child_stack=0x7f0c726c5fb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[2659], tls=0x7f0c726c6700, child_tidptr=0x7f0c726c69d0) = 2659
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=2640, tv_nsec=548561893}) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=2640, tv_nsec=548672383}) = 0
futex(0xc000066848, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc000066848, FUTEX_WAKE_PRIVATE, 1) = 1
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f0c716c5000
mprotect(0x7f0c716c6000, 8388608, PROT_READ|PROT_WRITE) = 0
clone(child_stack=0x7f0c71ec4fb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[2660], tls=0x7f0c71ec5700, child_tidptr=0x7f0c71ec59d0) = 2660
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f0c70ec4000
mprotect(0x7f0c70ec5000, 8388608, PROT_READ|PROT_WRITE) = 0
clone(child_stack=0x7f0c716c3fb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[2661], tls=0x7f0c716c4700, child_tidptr=0x7f0c716c49d0) = 2661
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=2640, tv_nsec=550311160}) = 0
readlinkat(AT_FDCWD, "/proc/self/exe", "/usr/bin/restic", 128) = 15
fcntl(0, F_GETFL)                       = 0x8002 (flags O_RDWR|O_LARGEFILE)
futex(0xc000066bc8, FUTEX_WAKE_PRIVATE, 1) = 1
mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0c70e84000
fcntl(1, F_GETFL)                       = 0x8002 (flags O_RDWR|O_LARGEFILE)
fcntl(2, F_GETFL)                       = 0x8001 (flags O_WRONLY|O_LARGEFILE)
futex(0xc000066bc8, FUTEX_WAKE_PRIVATE, 1) = 1
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
futex(0xc000066848, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc000066848, FUTEX_WAKE_PRIVATE, 1) = 1
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f0c5b7ff000
mprotect(0x7f0c5b800000, 8388608, PROT_READ|PROT_WRITE) = 0
clone(child_stack=0x7f0c5bffefb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[2663], tls=0x7f0c5bfff700, child_tidptr=0x7f0c5bfff9d0) = 2663
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
futex(0xc000096f48, FUTEX_WAKE_PRIVATE, 1) = 1
mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0c70643000
clock_gettime(CLOCK_MONOTONIC, {tv_sec=2640, tv_nsec=555097863}) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=2640, tv_nsec=555345244}) = 0
clock_gettime(CLOCK_REALTIME, {tv_sec=1566574408, tv_nsec=578430619}) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=2640, tv_nsec=556002180}) = 0
clock_gettime(CLOCK_REALTIME, {tv_sec=1566574408, tv_nsec=578739042}) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=2640, tv_nsec=556296774}) = 0
getuid()                                = 1001
getgid()                                = 1001
futex(0xc000096f48, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc000066f48, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc000066f48, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc000096f48, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc000096f48, FUTEX_WAKE_PRIVATE, 1) = 1
[...]
"
futex(0xc000066f48, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc000066f48, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc000096f48, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc000096f48, FUTEX_WAKE_PRIVATE, 1) = 1
"
futex(0xc000096f48, FUTEX_WAKE_PRIVATE, 1) = 1
clock_gettime(CLOCK_REALTIME, {tv_sec=1566574408, tv_nsec=596685059}) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=2640, tv_nsec=574255642}) = 0
futex(0xc000096f48, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc000066f48, FUTEX_WAKE_PRIVATE, 1) = 1
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
uname({sysname="Linux", nodename="localhost.localdomain", ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
futex(0xc0000972c8, FUTEX_WAKE_PRIVATE, 1) = 1
newfstatat(AT_FDCWD, "/", {st_mode=S_IFDIR|0555, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0
clock_gettime(CLOCK_REALTIME, {tv_sec=1566574408, tv_nsec=598550054}) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=2640, tv_nsec=576107158}) = 0
openat(AT_FDCWD, "/run/media/yk/USB/Fedora/keys", O_RDONLY|O_CLOEXEC) = -1 EACCES (Lupa evätty)
write(2, "Fatal: unable to open repo at /r"..., 120Fatal: unable to open repo at /run/media/yk/USB/Fedora/: ReadDir: open /run/media/yk/USB/Fedora/keys: permission denied
) = 120
futex(0xc0000972c8, FUTEX_WAKE_PRIVATE, 1) = 1
ioctl(1, SNDCTL_TMR_START or TCSETS, {B38400 opost isig icanon echo ...}) = 0
exit_group(1)                           = ?
+++ exited with 1 +++

Are you sure that you want the owner to be root there? I mean all of this just smells like an ownership issue.
Can you actually just create a dummy file with touch in any of the directories of the restic repo when its mounted? Have you tried this? touch /run/media/yk/USB/Fedora/keys/testfile for example?

Here is a correction I brought:

[root@localhost ~]# getenforce
Permissive
# cd /run/media/yk/USB/; chown -R citser:root Fedora/
# cd /home/citser/bin/; setcap CAP_DAC_READ_SEARCH=+ep restic; getcap restic
restic = cap_dac_read_search+ep

As an unprivileged user, error message related to permission applying to /keys/ persists. I am not an expert in RPM-based systems; at best I realized that there had to be something else involved in that issue than Linux permissions.

[citser@localhost ~]$ touch /run/media/yk/USB/Fedora/keys/T
touch: cannot touch '/run/media/yk/USB/Fedora/keys/T': Permission denied

I mean this already shows that you have an issue with permissions. This is totally unrelated to restic.
Your user that you try to run restic with must be able to create files and directory in the entire repository folder structure. Depending on how you have mounted the drive, the ownership can be different.
For example I have a second SSD in my machine and it is mounted via fstab and the rights are root:root for all of the contents but I still can create directories with my non root user.
So anyhow: I think the main problem lies within the rights. Do you agree?

I am also not sure why you always run other funny commands like these:

If you can’t create a file or folder in any of the folders of the restic repository than all of the commands above are irrelevant as you must ensure proper rights on your system.

You just named that something else. fstab it was then. that’s funny; oh sorry… Let’s apply one more time one of your own suggestion:

Applying to external drive its current capabilities within fstab file. That is a configuration that allowed for the creations of file or folder in any of the folder of the restic repository as well as rebooting system properly.

$ cat /etc/fstab
#<device>	<dir>                   <type>  <options>						<dump>	<fsck>
UUID=_ 		/run/media/yk/USB	ext4    rw,nosuid,nodev,relatime,seclabel,uhelper=udisks2	1	1

Till now encountered denymessage error applying to keys should be expected; instead of it deny some message errors are produced for each target located under a privileged folder.

[citser@localhost bin]$ restic --exclude={/dev,/media,/mnt,/proc,/run,/sys,/tmp,/var/tmp,$RESTIC_REPOSITORY} backup /
repository 353b38b0 opened successfully, password is correct
error: Open: open /.cache: permission denied
[...]

Could not confirm your suggestion work; following command had no effect on above produced error messages:

[root@localhost yk]# cd /run/media/yk/; umount USB/; chown root:root USB/

My fstab for a separate hard drive looks like this:

/dev/disk/by-uuid/uuid-here    /mnt/ssd    auto    noatime,nosuid,nodev,nofail,x-gvfs-show 0 0

so it varies in some ways of yours.

I have no idea what you are doing here - sorry for being rather blant.
The only thing I am certain of is that you have a problem with the proper file access rights.

IMHO I would start by finding out where this problem does not occur and then work my way back.
Maybe initialize a test repo somehwere else on a different disk or in your home directory and see if that works.

I don’t know if it’s just me but I am also a little bit thrown of with all the concatenating of the commands you do. Some of them seem rather random and unnecessary for troubleshooting the issue