Shared storage, backup over sftp and local, permissions problems


I’m redoing all my machines backups from fresh after issues with memory going bad on two different machines :frowning:

It’s made me realize why I’ve had a long running problem with some chunks in my storage being owned by root when they should be owned by duplicacy.

I backup my computers using duplicacy cli over sftp to a chroot jail on my home server. The sftp connection uses a specific user on the server: ‘duplicacy’ so any chunks and snapshots uploaded over sftp are owned by the duplicacy user.

I also backup one zfs pool to my shared storage on the server directly. ssh in, switch to root and ‘duplicacy backup --stats’ - now any uploaded chunks and snapshots are owned by root.

Now if duplicacy over sftp wants access to a chunk owned by root on the server I get an error. Easily corrected by chown-ing the relevant chunk to duplicacy:duplicacy and rerunning the backup. Still a bit of a pain though.

So the question is: how can I do a local backup to this shared storage whilst being root (for the required filesystem access) but have the chunks and snapshots written as the duplicacy user?

One obvious workaround is just to script this local backup and have it automatically correct the permissions once duplicacy has finished its work. But is there a more elegant solution?

Do you have to run the local backup as root? Why not grant the ‘duplicacy’ user read access to the zfs pool, then run the backup job as ‘duplicacy’ so that chunks are written with the same credentials as the sftp user, and not root.

Alternatively, why not grant everyone access to the shared Duplicacy storage? i.e. chmod 777 /duplicacy. Would that not work?

I’m not a Linux expert, but you could probably also assign a ‘duplicacy’ user group to multiple users - one local, several for sftp if required - lock them down as required and change group ownership on the backup storage to this group.

Well, yes. All the duplicacy runs are done as root - want to backup system config like /etc or even all users acounts in /home.

It’s just that on the other LAN machines duplicacy runs as root but transfers via sftp as a duplicacy user.

Yes chmod 777 would stop errors but that’s not what I’d call an elegant solution. I don’t want my backups to be world read and writable!

The idea of using groups is better. Only the existing duplicacy user and root would need to be members of the group. Set group to rw etc. I’ll need to think about this but thanks - just the inspiration I needed!

Excellent. When I last looked into this, I remember you had to do some extra funkery with ACLs and whatnot. This may help: