How to mount a root backup and access it through a file manager as non-root #773
Labels
No Label
bug
data loss
design finalized
good first issue
new feature area
question / support
security
waiting for response
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: borgmatic-collective/borgmatic#773
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
What I'm trying to do and why
I run Borgmatic as a systemd unit as root, so I can pull
/etc/
as well as/home/hook/
.I want to
borg mount
a backup and then be able to browse it with a file manager (e.g. Dolphin) so I can find what is missing and then copy-paste / drag’n’drop the files.Steps to reproduce
Have Borgmatic run as a systemd “system” unit.
do:
try mounting as non-root:
1.1.
borgmatic mount --mount-point /mnt/backup_mnt
↦ failmount as root:
1.2.
sudo borgmatic mount --mount-point /mnt/backup_mnt
1.3.
ls /mnt/backup_mnt
↦ failActual behavior
borgmatic mount
as non-root fails:sudo borgmatic mount
works of course, but then the files are only accessible for root too.ls /mnt/backup_mnt
results in:Expected behavior
I just want a way to mount my backups and read them – at least the backups of my home – as my normal user.
Other notes / implementation ideas
Limitations I’ve noticed so far:
/etc/borgmatic/ssh_key
be readable by someone elseborgmatic version
1.8.3
borgmatic installation method
EndeavourOS / Arch Linux package, using Yay
Borg version
borg 1.2.6
Python version
Python 3.11.5
Database version (if applicable)
No response
Operating system and version
Thanks for making it all the way to the issue tracker! My thoughts on this:
Mounting an archive as a non-root user
For this approach, yeah, the only way that would work is if you gave that user access to all borgmatic configuration and credentials (e.g. SSH keys) needed to mount the repository. For the SSH keys, I wouldn't recommend using root's SSH keys. Rather, I'd suggest using the user's own SSH keys, first copying them into the Borg server's
authorized_keys
file (just like you presumably did for root's SSH keys already) so that the non-root user can access the remote Borg repository.As for
Can't determine which repository to use. Use --repository to disambiguate
, maybe non-root borgmatic is using a different set of configuration files? You can increase the verbosity with--verbosity 2
which should tell you what configuration files it's trying to read. And then you can always give it a--config
flag on the command-line to select a particular config file, ideally the same one root is using. Of course, the non-root user will need at least read access to that configuration file for this to work.Major caveat: If the files within the archives have permissions that the non-root user cannot read, then it may be the case that even with all of the above working properly, you still won't be able to read these individual files as a non-root user. If that's the case, perhaps consider the other approach below.
Accessing a root-mounted archive as a non-root user
This is "just" a permission issue. So when you run
ls -ld
on the path of the root-mounted archive, what do you see? Similarly, if you mount withborgmatic mount --options uid=1000,gid=2000,allow_other=true ...
where1000
is the uid of your non-root user and 2000 is its gid, then what doesls -ld
show you? Note that these options will cause all archived files to "change" their apparent owner and group as viewed through your mount. Which might be exactly what you want so you can access them as a non-root user. But I'm bringing it up because it's not technically an accurate view of the archive.More details here: https://borgbackup.readthedocs.io/en/stable/usage/mount.html#description
Non-root access
I tried to fix this by
chgrp --recursive backup /etc/borgmatic
and adding my normal user to that group and then running borgmatic as normal user. (I reverted that since, of course.)The result was that Borg(matic)/SSH did not want to continue because of the key permissions.
I guess I could just keep two copies of the settings and two different keys, but that sounds silly and asking for PEBKAC-triggered errors after some time has passed and I forget it.
Mount options
sudo borgmatic mount --verbosity 2 --mount-point /home/hook/tmp_mount --options uid=1000,gid=1000
(fuse complains thatallow_other=true
is not a valid option, and I used the correct gid here) produces:ls tmp_mount
:ls tmp_mount/leza-2023-10-11T08:27:12.557499/home/hook/
– at least the home folder should be accessible by its user though:Alternative approach: two separate backups?
Maybe the most elegant solution would be to have two separate backups:
Thoughts?
Yeah, I understand that.
Hmm.. I assume you're running
ls
here as the non-root user? Are you sure that 1000 and 1000 correspond to that user's ID and group ID, respectively? When youls -ld
on the directory (or a parent directory if you don't have permissions tols
that one), what are the permissions and ownership shown on the files?That would certainly work, and would sidestep many of these permissions issues. The main challenge is that it might be a little more inconvenient, so it's your call whether that's worth it!
Yes.
Yes.
id
says:ls -ld /home/hook
:ls -ld /home/hook/tmp_mount/
:ls -ld /home/hook/tmp_mount/leza-2023-10-11T08:27:12.557499/home/hook/
:I’ll keep it in mind as a backup (ha!) plan then :)
And when you
ls
those same directories as the root user, what permissions/ownership do you see?P.S. Thank you for taking the time to help me with this.
That's really odd, because it's indeed showing up as owned by your user, so I would not expect that to result in permission errors! Unfortunately this is getting beyond my FUSE expertise. The only other thing I would suggest is to add
,allow_other
to your mount options and try again. If that doesn't work, then maybe consider filing a Borg ticket? I looked through various issues in the Borg backlog, and while I did find similar symptoms to what you're experiencing, I didn't find any clear solutions.In order to reproduce this with just Borg and without borgmatic, you can run the
borg mount
command that shows up in borgmatic's verbose output:borg mount --debug --show-rc -o uid=1000,gid=1000 ssh://{$redacted}/./leza /home/hook/tmp_mount
This command I can successfully run as normal user (I guess because I have a ssh key to that server also in my
~/.ssh/
). All I had to do was enter the remote repository’s password when asked. All other commands in this comment are also as normal user.and
ls /hook/home/tmp_mount/
also produces:Further in, I can also
ls /hook/home/tmp_mount/leza-2023-10-15T0217:57.646966
:Even more, I can even
ls /hook/home/tmp_mount/leza-2023-10-15T0217:57.646966/root
successfully as normal user!So I took this experiment further and if I omit the
-o uid, gid
part, it gets even better!borg mount --debug --show-rc ssh://{$redacted}/./leza /home/hook/tmp_mount/
ls -la tmp_mount/leza-2023-09-16T23:01:22.933288/
:Very cool! So it sounds like then mounting as a non-root user without borgmatic is the way to go? That is unless you want to change the permissions on the borgmatic config so that all users can read it.
borg mount
would work for me, but from a user PoV it does seem odd to use one tool to do everything, and another toAgain, works for me and I’m not complaining, but it does feel like more like a workaround.
Agreed. If you'd like to use borgmatic for this task, then I'd suggest adjusting the permissions on your borgmatic configuration file so it's readable by your user account. And then specify a
--config
path or rely on the default configuration probing. If you're still gettingCan't determine which repository to use
, then perhaps look at the logs to see what configuration files it's using.@witten , how do I get around the issue that
/etc/borgmatic/config.yaml
points to/etc/borgmatic/ssh_key
then?Good question. You could put the key in each user's home directory (e.g. in the traditional location in
~/.ssh
) and then refer to it by a path that resolves to a different actual location for each user. E.g.~/.ssh/ssh_key
would resolve to/root/.ssh/ssh_key
when run as the root user and/home/hook/.ssh/ssh_key
or whatever when run as the non-root user.Another option would be to use borgmatic configuration includes to reuse common configuration while still overriding different per-user configuration.
Yet a third option would be to not set the SSH key path in borgmatic's configuration file and instead specify it some other way (
~/.ssh/config
, etc.).I'm closing this one for now, but feel free to comment or open a new ticket if there's anything else! Thanks.