Running restic commands as root

hqkhan · July 29, 2023, 9:37pm

Hello. I’m trying to run restic commands as root but am plagued by:

Fatal: unable to open config file: Stat: Access Denied.
Is there a repository at the following location?
s3:s3.amazonaws.com/hqkhan-dev-backup/hqkhan-EC

I’ve tried setting AWS_* env vars before every restic command but still get the same error. Running the commands without sudo works fine. Anyone know what’s going on?

dsissitka · July 29, 2023, 10:43pm

sudo doesn’t preserve the environment by default:

[root@pc ~]# export FOO=bar
[root@pc ~]# sudo env | grep FOO
[root@pc ~]# sudo --preserve-env env | grep FOO
FOO=bar
[root@pc ~]#

I wouldn’t use --preserve-env though. You might like the wrapper approach:

hqkhan · July 30, 2023, 12:45am

That’s exactly what I did as well. I have a script that has a bunch of relevant exports and called restic "$@" at the end. Here’s the script:

export BACKUP_INCLUDES='--files-from /local/home/hqkhan/.restic/includes --files-from /local/home/hqkhan/.restic/includes_private' 
export BACKUP_EXCLUDES='--exclude-file /local/home/hqkhan/.restic/excludes --exclude-file /local/home/hqkhan/.restic/excludes_private'
export RETENTION_DAYS=7
export RETENTION_WEEKS=4
export RETENTION_MONTHS=6
export RETENTION_YEARS=3
export RESTIC_REPOSITORY=s3:s3.amazonaws.com/hqkhan-dev-backup/hqkhan-EC
export AWS_DEFAULT_REGION=us-east-1
export RESTIC_PASSWORD='...'
export AWS_SHARED_CREDENTIALS_FILE=~/.aws/credentials
restic "$@"

Invoked the script like so: sudo ./script snapshots resulting in the same error.

I wanted to have a systemd timer that invokes my service that runs restic backup. This service would run as root.

dsissitka · July 30, 2023, 12:58am

Hm. If it works without sudo this line stands out:

export AWS_SHARED_CREDENTIALS_FILE=~/.aws/credentials

Is there a /root/.aws/credentials?

hqkhan · July 30, 2023, 1:06am

There’s no /root/.aws/credentials. AWS_SHARED_CREDENTIALS_FILE is supported by restic and actually defaults to that. I put it there just to be safe I guess. It holds the secret key and secret token stuff for AWS. I manually set the secret key stuff manually as well but it still did not work.

MichaelEischer · July 30, 2023, 6:40pm

~ is evaluated in the context of the current user. That is if you run the script as root, it will look at /root/.aws/credentials.

hqkhan · August 1, 2023, 3:04pm

Oh man. Thank you for that. That was it. Learned something new.

hqkhan · August 1, 2023, 3:07pm

I missed what you were saying here. The ~ was definitely it. Thanks again