Restore with macOS ACLs

hettiger · November 22, 2025, 12:03pm

restic version
restic 0.18.1 compiled with go1.25.1 on darwin/arm64

Amazon AWS S3 Backend

macOS 26.1 (25B78)

restic backup \
	--host "$RESTIC_HOST" \
	--files-from "$RESTIC_INCLUDES_FILE" \
	--exclude-file "$RESTIC_EXCLUDES_FILE" \
	--one-file-system \
	--cache-dir "$RESTIC_CACHE_DIR" \
	--cleanup-cache \
	--compression max \
	--limit-download "$RESTIC_LIMIT_DOWNLOAD" \
	--limit-upload "$RESTIC_LIMIT_UPLOAD" \
	-o s3.storage-class=INTELLIGENT_TIERING

restic restore latest --target /tmp/restore-restic

All commands executed as root

Backup + Restore works. However ACL permissions seem to be missing.

I cannot access any of the restored files without manually fixing permissions etc.

Linux file permissions seem to restore properly. However, I’m using macOS file sharing. I configure the permissions per share and then apply these recursively via the macOS file sharing GUI. This seems to rely heavily on ACLs and removes linux file permissions:

ls -leah /Volumes/OWC-AB-R1/Louis
total 16
d---------@  5 martin  staff   160B Nov  8 16:56 .
 0: user:martin allow list,search,readattr,readextattr,readsecurity
drwxrwxr-x@ 16 root    wheel   512B Nov 22 12:21 ..
----------@  1 martin  staff   6.0K Nov 17 00:48 .DS_Store
 0: user:martin allow read,readattr,readextattr,readsecurity
d---------@  3 martin  staff    96B Oct  1 21:59 Kindergarten
 0: user:martin allow list,search,readattr,readextattr,readsecurity
d---------@  4 martin  staff   128B Aug  4  2024 Versicherungen
 0: user:martin allow list,search,readattr,readextattr,readsecurity

when restoring this I end up with e.g.

d---------   4 martin  staff   128B Aug  4  2024 Versicherungen

Notice:

 0: user:martin allow list,search,readattr,readextattr,readsecurity

is missing

Is this the expected behavior or misconfiguration / error on my end?

Looking at the docs and researching on the internet made me believe, that such macOS ACLs would be stored in the backups. Is this the case? Can they be restored at the moment or is this a planned future feature? If that’s the case, backups made today will just work because necessary information is also stored in the repository, right?

moritzdietz · November 22, 2025, 2:22pm

Hi @hettiger and welcome to the Restic forum and community!

You stumbled on a current limitation of Restic itself. This is tracked in the following issue: macOS BackupBouncer shows failure on some important tests · Issue #1622 · restic/restic · GitHub

AFAIK macOS uses NFS for file sharing and you set NFS ACLs on them which are not supported as of now

hettiger · November 22, 2025, 2:47pm

Thank you @moritzdietz, good to know it’s not an error on my end.

I don’t know if NFS is still a thing on macOS. Thought, newer macOS releases would use SMB exclusively. I have enabled SMB via system settings because my scanner needs it and I believe, it’s a requirement when serving Time Machine.

MichaelEischer · November 24, 2025, 5:52pm

Does someone know how those ACLs on macOS work from a low-level perspective? On Linux these ACLs are just extended attributes that can be read and written if the user has the necessary permissions.

hettiger · November 24, 2025, 6:40pm

This is the best resource that I found:

Specifically

macOS 10.4 and later implements SMB/CIFS-compatible access control lists (ACLs). Although individual users cannot set or alter ACLs, server administrators can do so. (Administrators can use the SMB server command line to manipulate ACLs, but only if both the client and server are bound to the same Active Directory domain.) However, enforcement of permissions is done only on the server, not on the client. See POSIX ACLs for more information on the macOS implementation of ACLs.

and

For more information on SMB/CIFS permissions and to learn how to modify their behavior, see the man page for SMB (man 5 smb.conf).

Hopefully this is of some use for you. Thank you for looking into this!

hettiger · November 24, 2025, 7:21pm

Also interesting:

The server GUI cannot directly manipulate ACEs of files. There is no GUI in the Finder to set or change ACEs. ACEs can be read and set both on the server and client using the command-line tools ls and chmod.

Looking into the man pages of chmod:

The chmod utility modifies the file mode bits of the listed files as specified by the mode operand. It may also be used to modify the Access Control Lists (ACLs) associated with the listed files.

...

             Examples
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
              # chmod +a "admin allow write" file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: admin allow write