Setting group id for sftp backups

cyplo · April 21, 2019, 2:24pm

Heya !

Restic is cool

Is there a way to tell restic to set the repository files it writes over sftp to have a certain user id and/or group id ?

My situation is that I have a server, where the user belongs to several groups and I would like restic to write all files as one of the groups the user belongs to.

thanks so much !

Den · April 21, 2019, 4:46pm

I’m not sure if there is a way to configure this in restic but there may be a fancy way to do it using access control lists in Linux (see https://unix.stackexchange.com/questions/12842/make-all-new-files-in-a-directory-accessible-to-a-group)

cdhowie · April 21, 2019, 7:44pm

On the remote side, you just need to set everything to be owned by the correct group and then chmod all of the directories to have the setgid bit. This causes all files and directories created under that directory to be owned by the group the directory is owned by, and all directories are automatically created with the setgid bit, so the configuration will automatically inherit to newly-created directories.

chgrp -R the-group-name /path/to/restic/repo
find /path/to/restic/repo -type d -exec chmod g+s {} +

cyplo · April 24, 2019, 10:29am

Hi ! Thanks for the advice

I tried setting the setgid bits - this seems to work if I log in as the user and just create a file using touch:

This is the repository permissions:

[root@brix ~]# ls -hal /mnt/data/backup-targets
drwxr-sr-x.   7 fetcher data-read 4.0K Feb 25 21:14 .
[...]
drwxr-s---.   2 fetcher data-read  36K Apr 24 09:03 snapshots

If I create a file in snapshots manually it seems having the correct group and read permissions:

[fetcher@brix ~]$ touch /mnt/data/backup-targets/snapshots/test
[fetcher@brix ~]$ ls -hal /mnt/data/backup-targets/snapshots/test
-rw-r--r--. 1 fetcher data-read 0 Apr 24 11:24 /mnt/data/backup-targets/snapshots/test

While actual snapshot created using restic over sftp to that host, same user:

-rw-------. 1 fetcher data-read 285 Apr 23 16:03 /mnt/data/backup-targets/snapshots/8f2ddc1cd79dbf8dd84b5b89b0cfe2596c58165d4ca84705a8c41cf290edf772

The group is being set correctly, but the group does not seem to have permission to read the file.

Is it something that I set there incorrect or is restic electing to write the file with minimal permissions ?

thanks !

cdhowie · April 24, 2019, 2:56pm

Ah, yes, restic intentionally operates with a forced umask of 0077. I even created a forum thread about this, so it’s a bit silly of me to forget that.

IMO restic should defer to the umask when writing repository files but I don’t know if @fd0 is open to that change. “Secure by default” is reasonable, but the current approach is also unreasonably limiting for system administrators who know what they are doing.

cyplo · April 25, 2019, 10:58am

Hi, thanks for that

I like that the default is secure, for sure.
I’d like to have a possibility to specify gid and uid from the restic commandline, as an optional parameter, would that be something worth implementing @fd0 ? If so - I could probably find some time to do the implementation myself later.

Thanks !

cdhowie · April 25, 2019, 1:03pm

I don’t think setting the uid/gid manually is necessary since you can use the setgid bit as I described. However, we need a way for restic to create files with a user-supplied umask (or use the process umask) instead of forcing a umask of 0077.