Permissions within local repo backend

kalleyne · December 27, 2022, 9:51pm

I’m a little confused about restic’s use of permissions with a local repo. Restic and the local repo is being used to copy snapshots from a S3 service. This appears to be working well despite my lack of understanding on how restic is using permissions.

Note the files and dirs within the repo:

drwx------   2 user1 user1   2 Dec 27 16:23 locks
drwx------   2 user1 user1 528 Dec 27 16:16 snapshots
drwx------   2 user1 user1 167 Dec 27 16:08 index
drwxrwxr-x   7 user1 user1   8 Oct 25 11:37 .
-r--------   1 root  root  155 Oct 25 11:37 config
drwx------   2 user1 user1   3 Jun 10  2022 keys
drwx------ 258 user1 user1 258 Jun 10  2022 data
drwxr-xr-x   3 user1 user1   3 Jun 10  2022 ..

The config file has root:root ownership with 400. October 25 is the date that I migrated to V2 repo.
The files within snapshots are also root:root ownership with 400. The same goes for the files within data e.g. data/8a - files are root:root and 400.

I’ve read this thread but it seems to refer to a different set of permissions so I’m not sure if it’s relevant to my needs:

Can I just recursively apply user1:user1 ownership to the whole repo tree? Same for applying 600 recursively on all files alone (not dirs)? Would I have to do this often over time? Safe to do this?

I’m guessing that my overuse of sudo caused this problem or are these the permission defaults for restic 0.14.0? Should I switch to rest server (instead of local repo) which appears to have umask capabilities which may help to control these permission issues?

Thanks.

ProactiveServices · December 28, 2022, 2:54am

Perhaps you used the migrate command as root, leaving some of the files owned as root. Changing permissions will do no harm to the backup data.

moritzdietz · December 28, 2022, 8:49pm

Yep all this should be fine. The thing is: if you run Restic as root, then the newly created file will be created in that user context. But you can change the owner of the repo files to anything you like.
You have to do this so often as you “misuse” the Restic command as root when you normally wouldn’t.

MichaelEischer · December 30, 2022, 2:47pm

The default permission for files has changed to 400 a few releases ago. These make it harder to accidentally modify files in a repository. Thus, it’s best to use 400 instead of 600 for the file permissions.

moritzdietz · December 31, 2022, 12:08am

read only? Searching through master gave me no indication of a change to 0400 but only 0600 (for example the config file).

MichaelEischer · January 1, 2023, 11:20am

It’s somewhat well hidden, see local: mark repository files as read-only · restic/restic@f4282aa · GitHub . When creating a new file it first has to be writable, it is only marked as read-only after it’s written completely.

moritzdietz · January 1, 2023, 12:34pm

Thanks for linking the commit and info behind it

kalleyne · January 17, 2023, 5:47pm

Thank you for the help. This explains quite a bit what I was experiencing.