Running command in hook on behalf of another user? #841
Labels
No Label
bug
data loss
design finalized
good first issue
new feature area
question / support
security
waiting for response
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: borgmatic-collective/borgmatic#841
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
What I'm trying to do and why
Hi! I use borgmatic for backing up certain apps, which I need to stop on behalf of the
www-data
user before and start after running the backup.I've added a couple of hooks:
When executed borgmatic reports that:
Is it possible to use sudo in hooks somehow or what to use?
UPD:
The only workaround, which I've found is to replace the string variable manually:
where app-maint-on:
But that is like a workaround, which doesn't allow me to process the exit code from the execution of the app command.
borgmatic version
1.8.3
borgmatic installation method
deb package
Borg version
1.2.0
Python version
3.10.12
Database version (if applicable)
mysql Ver 15.1 Distrib 10.6.16-MariaDB
Operating system and version
Ubuntu 22.04.4 LTS"
In theory, yes—if you're running as the root user and sudo-ing to a non-root user. So when you're running borgmatic, what user are you running it as? Does that user have
sudo
permissions? If you run the fullsudo -u www-data ...
command as that user at the command-line, does it work? And how are you actually kicking off borgmatic? systemd, cron, manually, etc?Also, side note: Once you upgrade borgmatic, you might consider switching to borgmatic's native Apprise support so that you don't have to call out to Apprise manually in before/after hooks.
I have created systems service and time units:
Well, with native it demands v.1.8.5, though I haven't found the proper deb package for my Ubuntu 22.04 :(
Additionally, in native call I do not understand how to deal with hooks: are they called after apprise or before? How are they interconnected?
Okay, it looks like that systemd service/timer is running as the root user. That's good. So does your full sudo command work when run from root manually at the command-line or do you get the same error?
It's possible that some of the security options (between
Type=oneshot
andNice=19
) are interfering with the sudo command. You could try commenting some or all of them out, reloading your systemd service, and seeing if that fixes the issue. If it does, you can add them back by halves until you find the culprit.Yeah, if you're using debs you'll have to wait until a new versions is available. There are several other ways to install though depending on your system and preferences.
They're not really interconnected; they're called separately. But just in terms of ordering, the native Apprise hook start is called before
before_backup
and finish afterafter_backup
.You are right! Probably these two options /^^^ are influencing, from man:
NoNewPrivileges=yes
andRestrictSUIDSGID=yes
prevent any scripts from taking advantage of password-less sudo configurations or capabilites. Note that when running in user mode or in system mode withoutUser=
, settingRestrictSUIDSGID=yes
will implyNoNewPrivileges=yes
.Thank you for pointing my attention. Actually, the idea is to protect files from accidental changing by borgmatic itself. 🙄
I see
Good to know! Perhaps it is a good idea to add this tip to the documentation?..
Glad to hear that was it! And yeah, security is always a trade-off with convenience. I don't know why you're setting maintenance mode during backups, but if it's because you're worried about getting a consistence/atomic backup snapshot, you may be able to get that through other means. E.g. if your app is database-backed, it should be possible to get a consistent dump even if your application is running during the backup. And if your app is filesystem-backed, you could look into filesystem snapshots to support backups while the application stays online.
Good idea!
Backup process consumes a lot of resources, so the app is almost not functional. Plus the artifacts produced by the app are also backed up. I have a mix of filesystem and DB backups. Still thinking what may be the best backup solution, so playing with borgmatic :)
Understood. Well I hope it works out for you! Feel free to file tickets for anything else that comes up. I'll close this one for now.