Home Explore Help
Sign In
mirrors
/
borg
mirror of https://github.com/borgbackup/borg
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

add non-root deployment strategy

Stephan Herbers 1 year ago
parent
7074c0220b
commit
a06c42cf1f
2 changed files with 52 additions and 0 deletions
Split View Show Diff Stats
  1. 1 0
      docs/deployment.rst
  2. 51 0
      docs/deployment/non-root-user.rst

+ 1 - 0
docs/deployment.rst
View File 

@@ -14,3 +14,4 @@ This chapter details deployment strategies for the following scenarios.
 
    deployment/automated-local
 
    deployment/image-backup
 
    deployment/pull-backup
 
+   deployment/non-root-user

+ 51 - 0
docs/deployment/non-root-user.rst
View File 

@@ -0,0 +1,51 @@
 
+.. include:: ../global.rst.inc
 
+.. highlight:: none
 
+.. _non_root_user:
 
+
 
+================================
 
+Backing up using a non-root user
 
+================================
 
+
 
+This section shows how to run borg as a non-root user and still be able to
 
+backup every file on the system.
 
+
 
+Normally borg is run as the root user to bypass all filesystem permission and
 
+be able to read all files. But in theory this also allows borg to modify or
 
+delete files on you system, incase of a bug for example.
 
+
 
+To remove this possible we can run borg as a non-root user and give it readonly
 
+permissions to all files on the system.
 
+
 
+
 
+Using linux capabilities inside a systemd service
 
+=================================================
 
+
 
+One way to do so, is to use linux `capabilities
 
+<https://man7.org/linux/man-pages/man7/capabilities.7.html>`_ within a systemd
 
+service.
 
+
 
+Linux capabilities allow us to give parts of the privileges the root user has to
 
+a non-root user. This works on a per-thread level and does not give the permission
 
+to the non-root user as a whole.
 
+
 
+For this we need to run our backup script from a systemd service and use the `AmbientCapabilities
 
+<https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#AmbientCapabilities=>`_
 
+option added in systemd 229.
 
+
 
+A very basic unit file would look like this:
 
+
 
+::
 
+
 
+    [Unit]
 
+    Description=Borg Backup
 
+
 
+    [Service]
 
+    Type=oneshot
 
+    User=borg
 
+    ExecStart=/usr/local/sbin/backup.sh
 
+
 
+    AmbientCapabilities=CAP_DAC_READ_SEARCH
 
+
 
+The CAP_DAC_READ_SEARCH capability gives borg readonly access to all files and directories on the system.
 
+
 
+This service can then be started manually using ``systemctl start`` or regularly with a systemd timer.