Unable to run encryption_passcommand as arbitrary user #426

Closed
opened 2021-06-20 18:22:04 +00:00 by talliansaotome · 3 comments

What I'm trying to do and why

I am trying to use the output of a command run as a specific user as the key to the repo

Steps to reproduce (if a bug)

encryption_passcommand: /sbin/runuser rfc -c /usr/bin/bash -c '/usr/bin/gpg --export --armor rfc'

Actual behavior (if a bug)

Jun 20 01:44:11 computerborgmatic[13472]: CRITICAL runuser: cannot set groups: Operation not permitted
passcommand supplied in BORG_PASSCOMMAND failed: Command '['/sbin/runuser', 'rfc', '-c', '/usr/bin/bash', '-c', '/usr/bin/gpg --export --armor rfc']' returned non-zero exit status 1.

Expected behavior (if a bug)

key pulled from gpg keystore used as passphrase to encrypt backups. works outside of the unit file

Other notes / implementation ideas

I am able to get this working with straight borg, and it works when invoking borgmatic from the command line, so the issue appears to be a systemd interaction?

Environment

borgmatic version: [version here]

borgmatic --version

1.5.14

borgmatic installation method: [e.g., Debian package, Docker container, etc.]
opensuse zypper install

Borg version: [version here]

# borg --version

borg 1.1.16

Python version: [version here]

python3 --version

Python 3.8.10

Database version (if applicable): [version here]

Use psql --version or mysql --version on client and server.

operating system and version: [OS here]
opensuse tumbleweed

systemctl --version

systemd 246 (246.13+suse.105.g14581e0120)
+PAM +AUDIT +SELINUX -IMA +APPARMOR -SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified

#### What I'm trying to do and why I am trying to use the output of a command run as a specific user as the key to the repo #### Steps to reproduce (if a bug) encryption_passcommand: /sbin/runuser rfc -c /usr/bin/bash -c '/usr/bin/gpg --export --armor rfc' #### Actual behavior (if a bug) Jun 20 01:44:11 computerborgmatic[13472]: CRITICAL runuser: cannot set groups: Operation not permitted passcommand supplied in BORG_PASSCOMMAND failed: Command '['/sbin/runuser', 'rfc', '-c', '/usr/bin/bash', '-c', '/usr/bin/gpg --export --armor rfc']' returned non-zero exit status 1. #### Expected behavior (if a bug) key pulled from gpg keystore used as passphrase to encrypt backups. works outside of the unit file #### Other notes / implementation ideas I am able to get this working with straight borg, and it works when invoking borgmatic from the command line, so the issue appears to be a systemd interaction? #### Environment **borgmatic version:** [version here] ### borgmatic --version 1.5.14 **borgmatic installation method:** [e.g., Debian package, Docker container, etc.] opensuse zypper install **Borg version:** [version here] ### # borg --version borg 1.1.16 **Python version:** [version here] ### python3 --version Python 3.8.10 **Database version (if applicable):** [version here] Use `psql --version` or `mysql --version` on client and server. **operating system and version:** [OS here] opensuse tumbleweed ### systemctl --version systemd 246 (246.13+suse.105.g14581e0120) +PAM +AUDIT +SELINUX -IMA +APPARMOR -SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified
Author

update, I noticed that there is a subprocess being spawned:

/usr/bin/systemd-tty-ask-password-agent --watch

which only appears to happen when running as a systemd service

update, I noticed that there is a subprocess being spawned: /usr/bin/systemd-tty-ask-password-agent --watch which only appears to happen when running as a systemd service
Author

recommended systemd unit file for the service was too restrictive, it looks like, finally managed to get it

recommended systemd unit file for the service was too restrictive, it looks like, finally managed to get it
Owner

Glad to hear you've got it sorted out now!

Glad to hear you've got it sorted out now!
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: borgmatic-collective/borgmatic#426
No description provided.