Restic 0.17.0+ and Access is Denied errors with Windows

Daftbott · September 18, 2024, 4:37am

Tested with Restic 0.16.5 and 0.17.1+.

When restoring files with 0.17.0+, the files are restored, but they return access denied errors. And I cannot open them, delete, or do anything unless I go deep into Windows security permissions and select " Replace all child object permissions with inheritable permissions from this object".

For example the follow WITH RESTIC 0.17.1:

restic -r MyBackup restore dbe0d2df --target C:/users/REDACTED/desktop/RestoreRestic17
repository d0216eb6 opened (version 2, compression level max)
[0:00] 100.00%  2 / 2 index files loaded
restoring snapshot dbe0d2df of [E:\nero] at 2024-09-17 22:46:35.0567189 -0500 CDT by Win11-VM\REDACTED@Win11-VM to C:/users/REDACTED/desktop/RestoreRestic17
ignoring error for \E\nero\Takc.exe: UtimesNano: Access is denied.
ignoring error for \E\nero\lame.exe: UtimesNano: Access is denied.
ignoring error for \E\nero\lame_enc.dll: UtimesNano: Access is denied.
ignoring error for \E\nero\mpcenc.exe: UtimesNano: Access is denied.
ignoring error for \E\nero\neroAacDec.exe: UtimesNano: Access is denied.
ignoring error for \E\nero\neroAacEnc.exe: UtimesNano: Access is denied.
ignoring error for \E\nero\neroAacTag.exe: UtimesNano: Access is denied.
ignoring error for \E\nero\oggenc2.exe: UtimesNano: Access is denied.
ignoring error for \E\nero\opusdec.exe: UtimesNano: Access is denied.
ignoring error for \E\nero\opusenc.exe: UtimesNano: Access is denied.
ignoring error for \E\nero\opusinfo.exe: UtimesNano: Access is denied.
ignoring error for \E\nero\wavpack.exe: UtimesNano: Access is denied.
ignoring error for \E\nero: UtimesNano: Access is denied.
Summary: Restored 13 / 14 files/dirs (5.858 MiB / 5.858 MiB) in 0:00
Fatal: There were 13 errors

ERRORS, RESTORED FILES, BUT CAN’T OPEN/EDIT/DELETE FILES W/O MOD WINDOWS PERMISSIONS

WITH RESTIC 0.16.5

restic16 -r MyBackup restore dbe0d2df --target C:/users/REDACTED/desktop/RestoreRestic16
repository d0216eb6 opened (version 2, compression level max)
[0:00] 100.00%  2 / 2 index files loaded
restoring <Snapshot dbe0d2df of [E:\nero] at 2024-09-17 22:46:35.0567189 -0500 CDT by Win11-VM\REDACTED@Win11-VM> to C:/users/REDACTED/desktop/RestoreRestic16
Summary: Restored 14 files/dirs (5.858 MiB) in 0:00

NO ERRORS, SUCCESSFUL RESTORE, ACCESSIBLE FILES

This seems to happen mostly from files that were backup from the network. E:\ is a mapped network drive. However, I did test with files straight from the system and also got similar errors. In the case below, I back up my pictures folder, and here’s what I get when I restore:

WITH RESTIC 0.17.1

restic -r MyBackup restore latest --target "C:/restored"
repository d0216eb6 opened (version 2, compression level max)
[0:00] 100.00%  3 / 3 index files loaded
restoring snapshot 43e802d4 of [C:\Users\REDACTED\Pictures] at 2024-09-17 23:02:00.359676 -0500 CDT by Win11-VM\REDACTED@Win11-VM to C:/restored
ignoring error for \C\Users: UtimesNano: Access is denied.
Summary: Restored 11 / 12 files/dirs (1.469 MiB / 1.469 MiB) in 0:00
Fatal: There were 1 errors

It’s very strange and it’s keeping me from totally upgrading to 0.17.0. Anyone experiencing this? I was thinking it was my NAS and the file permissions on it. But then I ran a test with a fresh repo and only backup files directly from the system itself and still got access denied errors. No errors at all with 0.16.5.

ProactiveServices · September 19, 2024, 12:54am

Is your anti-virus causing a problem? It could be relevant that the files are all binaries. Perhaps the old restic version is excluded in some way.

Daftbott · September 19, 2024, 3:37am

Oh i didn’t think of that. But still get the same errors no matter what.

KamikazeePL · September 20, 2024, 8:39pm

Try to run as Admin.

Daftbott · September 21, 2024, 4:38am

Good idea. I don’t get the restic errors in admin mode, but the restored files still need permissions reset. Seems to effect paths with UNC names like \nas\folder. Idonno

MichaelEischer · October 17, 2024, 8:22pm

Please open an issue on Github. We probably have to add an option to skip restoring security descriptors.

As far as I can tell the underlying problem is that security descriptors on windows are effectively tied to a specific system. If you backup files on a UNC share and restore those locally, then the security descriptors will still refer to the user IDs that are only valid in the context of the UNC share.

For your local system that means that the files are only accessible to users that don’t exist on your local system. I don’t have the slightest idea whether it would be possible to sanitize the user ids to make sense in the context of the local system, or whether just dropping all security descriptors is the only option.

bazinga · October 19, 2024, 10:16pm

After restoring as Admin, you can reset the permissions with:

takeown /R /F my-folder
icacls my-folder /T /Q /C /RESET