Inotifywait and restic

Hello,

I’m setting up my own backup solution on a Raspbian, and using inotifywait event close_write to chmod new restic directories to 1777, and new restic files to 0444 (with files, I also do chattr +i).

That means, in theory, that whenever a new files are opened in write mode, and then closed, they will be made immutable. The purpose of this is to prevent a potential leak of sftp credentials from overwriting or deleting files.

I am, however, sometimes getting something like this:

repository 6708fb6e opened successfully, password is correct
found 2 old cache directories in /Users/neob91/Library/Caches/restic, run `restic cache --cleanup` to remove them
Save(<data/7a431dbfd8>) returned error, retrying after 552.330144ms: Chmod: sftp: "Permission denied" (SSH_FX_PERMISSION_DENIED)
Save(<data/7a431dbfd8>) returned error, retrying after 1.080381816s: OpenFile: sftp: "Failure" (SSH_FX_FAILURE)
Save(<data/7a431dbfd8>) returned error, retrying after 1.31013006s: OpenFile: sftp: "Failure" (SSH_FX_FAILURE)
Save(<data/7a431dbfd8>) returned error, retrying after 1.582392691s: OpenFile: sftp: "Failure" (SSH_FX_FAILURE)
Save(<data/7a431dbfd8>) returned error, retrying after 2.340488664s: OpenFile: sftp: "Failure" (SSH_FX_FAILURE)
Save(<data/7a431dbfd8>) returned error, retrying after 4.506218855s: OpenFile: sftp: "Failure" (SSH_FX_FAILURE)
Save(<data/7a431dbfd8>) returned error, retrying after 3.221479586s: OpenFile: sftp: "Failure" (SSH_FX_FAILURE)
Save(<data/7a431dbfd8>) returned error, retrying after 5.608623477s: OpenFile: sftp: "Failure" (SSH_FX_FAILURE)
Save(<data/7a431dbfd8>) returned error, retrying after 7.649837917s: OpenFile: sftp: "Failure" (SSH_FX_FAILURE)
Save(<data/7a431dbfd8>) returned error, retrying after 15.394871241s: OpenFile: sftp: "Failure" (SSH_FX_FAILURE)
Fatal: unable to save snapshot: OpenFile: sftp: "Failure" (SSH_FX_FAILURE)

Is there a chance that restic opens a file in writable mode, closes it, and then tries to write to it again?
Thanks for any help you can provide!

How does making your restic repository’s files immutable prevent leaking of SFTP credentials?

I’m not trying to prevent a leak here.
In case of a leak that I’m not aware of, I am making the files immutable.

If someone obtains sftp credentials, they will be unable to delete the backups or tamper with them.
This effectively makes the possession of those credentials worthless to a potential attacker. The worst they could do is create a ton of garbage snapshots.

Restic retries the save operation after the failed Chmod: sftp: "Permission denied" (SSH_FX_PERMISSION_DENIED). save currently creates and uploads the backup file and then adjust the permissions using chmod. If any of these steps fails, then the complete save operation gets retried.

So basically your script is modifying the permissions and the immutable attribute too early. As a less hacky variant you could take a look at this setup using rclone and sftp.