Restic on mac problem with some directories

Hi. I am using restic for mac, latest version from macports, and I am running as root. My problem is that some directories and maybe some files in my home directory under the Library directory are not being backed up, the program complains operation not permitted. I am using OSX Mohave 10.114.6. Any idea what is happening here? I am launching the program by using a file under /Library/LaunchAgents and I have a plist file which runs the shell script in my home directory.

Thanks in advance for any suggestions.

Well if restic is telling you that it is not allowed to access certain files, you can double check the files ownership and rights etc. On macOS some directories are off-limits even for root.
Other than that, you can try to run the restic command manually and not via launctl script which runs a shell script.
A good start is to try to simplify or reduce complexity and see where the problems start appearing.

@covici Check out https://github.com/restic/restic/issues/2051 , might be the problem you’re having. But what @moritzdietz said is true, you should be more specific when you report a problem. Show the complete restic command the the complete output of it, for example.

Ha! Totally missed to check for open GitHub issues regarding this. Thanks for adding this.

hmmm, the files are not even owned by root, they are owned by
covici.staff – the strange thing is that as root I can actually open
those directories – at least one of them which I tried – but when I
run the job, it cannot. I wonder if the launch agents do not run as
root? Very odd indeed, but I will keep looking.

Technically, the root account is disabled on Mac by default. You’re admin is a super user with sudo rights, etc. Regardless, the issue is most likely related to the sandbox and privacy settings newer versions of OS X has implemented (borrowing from iOS). If you go to System Preferences > Security & Privacy and then the Privacy tab, you will likely see the list of folders not being backed up due to permissions issues corresponding to the list of items on the left (e.g., Contacts, Calendar, Photos).

1 Like

What seems to be happening is that the launchdaemon is not running as
root, if I use root directly (I have set this up, specifically), then
I can manually open at least some of the folders in question, but when
I run the launchdaemon, then strangely enough I get the errors. I am
going to try cron daemon instead and see if that works better.

Ok. Maybe that’ll work. I run Restic with a from job on my Mac and see similar permissions issues. However, it’s not running as root, just under my own account. I only backup my home directory on my Mac so that’s not an issue in my use case. Also, my day-to-day user account doesn’t have admin rights for security purposes so I wasn’t surprised when a few special directories couldn’t be backed up.

If that doesn’t work, you might try granting Restic permissions to those files through the System Preferences Privacy settings. Briefly looking at the GitHub issue that appears related, I imagine someone has tried that but I’m not sure. If it works, report back here and on GitHub please.

Well, the cron job did not do any better. I only backup my home
directory as well, but some things in the Library directory won’t
backup, so I was trying to get that to work.

How would I grant restic more privs, I don’t see anything obvious in
privacy/security?

On the Privacy tab of Security & Privacy, select items like Calendar on the left and then hit the plus button to grant access and select the Restic binary. I haven’t tried this and am not sitting in front of a Mac, but I think that’s how you would do it.

Guys, this looks like what’s discussed in the GitHub issue I linked to earlier. Or I’m misunderstanding what you’re talking about.

It’s been shown that just adding the restic binary to full disk access will not work, instead you have to package it as a .app or do some other workaround. It’s all described in that issue, I suggest you check there.

Personally I’m using Platypus to package my restic and backup scripts as a .app, and giving that .app FDA. That works to get rid of the permission errors I got.

1 Like

Well, I managed to put it in, I had to get the finder to go to /opt by
hand, but after that I was able to find the binary, I hope that does
something – I will let you know.

Mhh I can give FDA to the restic binary itself without having it in an .app … so that’s something :smiley:
And with that I don’t have any problem on backing up any folder - also the folders discussed here and in the GH issue.

@moritzdietz That’s very interesting. What macOS version are you on, exactly?

I’ve tried it all, and just allowing the restic binary did not make it work for me, I had to wrap it. I only back up home directories though, the problems I had was with some files under ~/Library.

Can you tell me what you did to “wrap it”? I am having this same
problem.

I am running macOS Mojave 10.14.6.
The restic binary itself is located in /usr/local/bin and from there I was able to add it to FDA.
Then backing up the ~/Library/Mail/ folder was not a problem at all.

I just also tried other locations for the restic binary and for me, it doesn’t make a difference.
I copied the binary to the Desktop and then added it to FDA without problems.

@moritzdietz Okay, thanks. Really weird, but lucky you! :wink:

Wrapped it as an .app using Platypus, then gave that application the FDA permissions.

OK, so I tried platypus, the fields seemed self-explanatoory to me, I selected textview and the default icon, and selected my script, but nothing happened when I ran it – it never executed the script at all. When I opened it, it asked me for my password, maybe because I was running out of my home directory, but after that nothing. I know the shell script works because I am using it out of cron all the time.

Here’s the command line I use to build the .app with Platypus:

platypus \
	--overwrite \
	--optimize-nib \
	--background \
	--quit-after-execution \
	--bundle-identifier 'com.foo.$@' \
	--name 'Backup' \
	--app-version '$(VERSION)' \
	--author '$(AUTHOR)' \
	--interface-type 'None' \
	--interpreter '/bin/bash' \
	--app-icon '/Applications/Platypus.app/Contents/Resources/PlatypusDefault.icns' \
	--bundled-file '.config' \
	--bundled-file '$(shell find bin/restic -depth 1|paste -sd "|" -)' \
	bin/restic/backup.sh \
	release/Backup.app