Setting group id for sftp backups

Heya !

Restic is cool :slight_smile:

Is there a way to tell restic to set the repository files it writes over sftp to have a certain user id and/or group id ?

My situation is that I have a server, where the user belongs to several groups and I would like restic to write all files as one of the groups the user belongs to.

thanks so much !

I’m not sure if there is a way to configure this in restic but there may be a fancy way to do it using access control lists in Linux (see

On the remote side, you just need to set everything to be owned by the correct group and then chmod all of the directories to have the setgid bit. This causes all files and directories created under that directory to be owned by the group the directory is owned by, and all directories are automatically created with the setgid bit, so the configuration will automatically inherit to newly-created directories.

chgrp -R the-group-name /path/to/restic/repo
find /path/to/restic/repo -type d -exec chmod g+s {} +

Hi ! Thanks for the advice :slight_smile:

I tried setting the setgid bits - this seems to work if I log in as the user and just create a file using touch:

This is the repository permissions:

[root@brix ~]# ls -hal /mnt/data/backup-targets
drwxr-sr-x.   7 fetcher data-read 4.0K Feb 25 21:14 .
drwxr-s---.   2 fetcher data-read  36K Apr 24 09:03 snapshots

If I create a file in snapshots manually it seems having the correct group and read permissions:

[fetcher@brix ~]$ touch /mnt/data/backup-targets/snapshots/test
[fetcher@brix ~]$ ls -hal /mnt/data/backup-targets/snapshots/test
-rw-r--r--. 1 fetcher data-read 0 Apr 24 11:24 /mnt/data/backup-targets/snapshots/test

While actual snapshot created using restic over sftp to that host, same user:

-rw-------. 1 fetcher data-read 285 Apr 23 16:03 /mnt/data/backup-targets/snapshots/8f2ddc1cd79dbf8dd84b5b89b0cfe2596c58165d4ca84705a8c41cf290edf772

The group is being set correctly, but the group does not seem to have permission to read the file.

Is it something that I set there incorrect or is restic electing to write the file with minimal permissions ?

thanks ! :slight_smile:

Ah, yes, restic intentionally operates with a forced umask of 0077. I even created a forum thread about this, so it’s a bit silly of me to forget that.

IMO restic should defer to the umask when writing repository files but I don’t know if @fd0 is open to that change. “Secure by default” is reasonable, but the current approach is also unreasonably limiting for system administrators who know what they are doing.

Hi, thanks for that :slight_smile:

I like that the default is secure, for sure.
I’d like to have a possibility to specify gid and uid from the restic commandline, as an optional parameter, would that be something worth implementing @fd0 ? If so - I could probably find some time to do the implementation myself later.

Thanks !

I don’t think setting the uid/gid manually is necessary since you can use the setgid bit as I described. However, we need a way for restic to create files with a user-supplied umask (or use the process umask) instead of forcing a umask of 0077.