Suggestion: Duplicacy should run as root on MacOS

Hi, I’m testing out Duplicacy and I like a lot of the key features. I’d love to become a licensed user - but I’ve run into several issues.

The biggest issue for me is that, when installed/run as instructed in the docs, Duplicacy is unable to back up all files on a Mac running recent MacOS (in my case, Sonoma 14.2.1, but I think this would affect the last several major versions of MacOS, at least).

The key problem is that Duplicacy is not running as root - so of course, it can’t read all files on the disk, and therefore can’t back them up. I have already added an exclusions file (inspired by default settings used in Arq), but that’s not enough - and I see that Duplicacy is running with my own UID rather than 0, so it makes sense that it logs things like

WARN LIST_FAILURE Failed to list subdirectory Users/admin/Desktop/: open /Users/admin/Desktop: permission denied

Arq does not have permissions issues, once Full Disk Access is given to it, since it has an “agent” that runs as root. Is there a documented way to install/run Duplicacy in a similar way?

Root is not enough. You need to give Duplicacy specific entitlement, like full disk access, to read sensitive data.

Duplicacy excludes Time Machine excluded files, just like Arq. There is no need to manually specify any exclusions on macOS besides Caches and Trash.

It’s more complex than that. The main app does run as super user, but agent impersonates specific users to backup user-mounted filesystems. Duplicacy does not support this usecase.

Yes, you can use launchd. Examples: Spurious Duplicacy-web launches - #6 by saspus or here Web-UI issues on MacOS Catalina - #3 by saspus

@saspus Thanks!

I seem to have things working via launchd. Now, I’m just not sure of the best way to get to the web interface. The usual technique of double-clicking on /Applications/Duplicacy Web Edition no longer works - when I do that, nothing happens.

I can get to the web interface by pointing my browser at the page (e.g. http://127.0.0.1:3875/) and I’ve bookmarked that for now - but is there a way to restore access via the application double-click?

My current plist file is:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>EnvironmentVariables</key>
        <dict>
                <key>HOME</key>
                <string>/Library/Duplicacy</string>
        </dict>
        <key>Label</key>
        <string>com.duplicacy</string>
        <key>ProgramArguments</key>
        <array>
        <string>/Applications/Duplicacy Web Edition.app/Contents/MacOS/duplicacy_web_osx_arm64</string>
        <string>-background</string>
        <string>-no-tray-icon</string>
        </array>
        <key>RunAtLoad</key>
        <true/>
        <key>KeepAlive</key>
        <dict>
                <key>Crashed</key>
                <true/>
                <key>SuccessfulExit</key>
                <false/>
        </dict>
        <key>WorkingDirectory</key>
        <string>/Library/Duplicacy</string>
</dict>
</plist>

For reference, my complete step-by-step for getting Duplicacy to run as root was:

  1. First set up Duplicacy, including settings, encryption password, storage-config, etc, as a regular user. Then kill Duplicacy Web (ps -ef|grep duplicacy to find the running daemon’s PID, then kill it).
  2. As root: Create a plist file (see above) and place it at /Library/LaunchDaemon/com.duplicacy.plist.
  3. As root: Create /Library/Duplicacy
  4. As regular user (who knows an admin account’s password, or who is an admin): Using Keychain Access, copy the duplicacy-web application password entry from the login keychain to the System keychain.
  5. As root: Recursively copy the contents of ~/.duplicacy-web to /Library/Duplicacy/.duplicacy-web, ensuring that all copied content ends up owned by root.
  6. As root: Fire up Duplicacy by doing launchctl load -w /Library/LaunchDaemons/com.duplicacy.plist.
  7. Test that things are working, by browsing to http://127.0.0.1:3875.