WARNING drop_privileges: setgroups(1, 0) failed: Operation not permitted #492

Closed
opened 2022-01-21 14:04:52 +00:00 by elhananjair · 5 comments

What I'm trying to do and why

Actually this is not borgmatic error, I just wanted a support on using 'mail' command inside config.yaml hooks section.
this is what my config.yaml looks like:

hooks:
# List of one or more shell commands or scripts to execute
# before creating a backup, run once per configuration file.
before_backup:
- echo "Starting a backup."
- echo "Backup and Prune process is about to start" | /usr/bin/mail -s "Nextcloud backup log" mymail@gmail.com

and am getting this error:
WARNING drop_privileges: setgroups(1, 0) failed: Operation not permitted

I could execute this command from random .sh script file but inside borgmatic it is showing this the above error. I apperciate someone help me with this. Thank you.

Steps to reproduce (if a bug)

Include (sanitized) borgmatic configuration files if applicable.

Actual behavior (if a bug)

Include (sanitized) --verbosity 2 output if applicable.

Expected behavior (if a bug)

Other notes / implementation ideas

Environment

borgmatic version: [version here]

Use sudo borgmatic --version or sudo pip show borgmatic | grep ^Version

borgmatic installation method: [e.g., Debian package, Docker container, etc.]

Borg version: [version here]

Use sudo borg --version

Python version: [version here]

Use python3 --version

Database version (if applicable): [version here]

Use psql --version or mysql --version on client and server.

operating system and version: [OS here]

#### What I'm trying to do and why Actually this is not borgmatic error, I just wanted a support on using 'mail' command inside config.yaml hooks section. this is what my config.yaml looks like: > hooks: # List of one or more shell commands or scripts to execute # before creating a backup, run once per configuration file. before_backup: - echo "Starting a backup." - echo "Backup and Prune process is about to start" | /usr/bin/mail -s "Nextcloud backup log" mymail@gmail.com and am getting this error: **WARNING drop_privileges: setgroups(1, 0) failed: Operation not permitted** I could execute this command from random .sh script file but inside borgmatic it is showing this the above error. I apperciate someone help me with this. Thank you. #### Steps to reproduce (if a bug) Include (sanitized) borgmatic configuration files if applicable. #### Actual behavior (if a bug) Include (sanitized) `--verbosity 2` output if applicable. #### Expected behavior (if a bug) #### Other notes / implementation ideas #### Environment **borgmatic version:** [version here] Use `sudo borgmatic --version` or `sudo pip show borgmatic | grep ^Version` **borgmatic installation method:** [e.g., Debian package, Docker container, etc.] **Borg version:** [version here] Use `sudo borg --version` **Python version:** [version here] Use `python3 --version` **Database version (if applicable):** [version here] Use `psql --version` or `mysql --version` on client and server. **operating system and version:** [OS here]
witten added the
question / support
label 2022-01-21 18:44:37 +00:00
Owner

Where are you seeing the error? And how are you running borgmatic when it occurs? If you're using systemd, I'm guessing that your systemd configuration has locked down permissions such that the borgmatic process can't run the mail hook. Could I get a look at your systemd borgmatic service configuration? Thanks.

Where are you seeing the error? And how are you running borgmatic when it occurs? If you're using systemd, I'm guessing that your systemd configuration has locked down permissions such that the borgmatic process can't run the `mail` hook. Could I get a look at your systemd borgmatic service configuration? Thanks.
Author

I checked the error from journactl output of borgmatic.serviec. Am running borgmatic using systemd and I barely changed example config of borgmatic.service.

https://paste.centos.org/view/9083c5d4 this my borgmatic.service file.

I checked the error from journactl output of borgmatic.serviec. Am running borgmatic using systemd and I barely changed example config of borgmatic.service. https://paste.centos.org/view/9083c5d4 this my borgmatic.service file.
Owner

My guess here based on the error message is that ProtectControlGroups=yes is interfering. So you could try commenting that out and reloading the systemd service (sudo systemctl daemon-reload and sudo systemctl restart borgmatic). If that doesn't solve it, you could try commenting out the system service security options (everything from LockPersonality to CapabilityBoundingSet, inclusive) to see if any of those are causing your particular issue.

My *guess* here based on the error message is that `ProtectControlGroups=yes` is interfering. So you could try commenting that out and reloading the systemd service (`sudo systemctl daemon-reload` and `sudo systemctl restart borgmatic`). If that doesn't solve it, you could try commenting out the system service security options (everything from `LockPersonality` to `CapabilityBoundingSet`, inclusive) to see if any of those are causing your particular issue.
Author

My guess here based on the error message is that ProtectControlGroups=yes is interfering. So you could try commenting that out and reloading the systemd service (sudo systemctl daemon-reload and sudo systemctl restart borgmatic). If that doesn't solve it, you could try commenting out the system service security options (everything from LockPersonality to CapabilityBoundingSet, inclusive) to see if any of those are causing your particular issue.

Thank you so much it worked for me when I commented out CapabilityBoundingSet property. I think it eases up the security to run other commands.

> My *guess* here based on the error message is that `ProtectControlGroups=yes` is interfering. So you could try commenting that out and reloading the systemd service (`sudo systemctl daemon-reload` and `sudo systemctl restart borgmatic`). If that doesn't solve it, you could try commenting out the system service security options (everything from `LockPersonality` to `CapabilityBoundingSet`, inclusive) to see if any of those are causing your particular issue. Thank you so much it worked for me when I commented out CapabilityBoundingSet property. I think it eases up the security to run other commands.
Owner

Glad to hear it's working for you now! I'll add a comment in the sample systemd service file about this.

Glad to hear it's working for you now! I'll add a comment in the sample systemd service file about this.
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: borgmatic-collective/borgmatic#492
No description provided.