Unable to run encryption_passcommand as arbitrary user #426
Labels
No Label
bug
data loss
design finalized
good first issue
new feature area
question / support
security
waiting for response
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: borgmatic-collective/borgmatic#426
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
What I'm trying to do and why
I am trying to use the output of a command run as a specific user as the key to the repo
Steps to reproduce (if a bug)
Actual behavior (if a bug)
Jun 20 01:44:11 computerborgmatic[13472]: CRITICAL runuser: cannot set groups: Operation not permitted
passcommand supplied in BORG_PASSCOMMAND failed: Command '['/sbin/runuser', 'rfc', '-c', '/usr/bin/bash', '-c', '/usr/bin/gpg --export --armor rfc']' returned non-zero exit status 1.
Expected behavior (if a bug)
key pulled from gpg keystore used as passphrase to encrypt backups. works outside of the unit file
Other notes / implementation ideas
I am able to get this working with straight borg, and it works when invoking borgmatic from the command line, so the issue appears to be a systemd interaction?
Environment
borgmatic version: [version here]
borgmatic --version
1.5.14
borgmatic installation method: [e.g., Debian package, Docker container, etc.]
opensuse zypper install
Borg version: [version here]
# borg --version
borg 1.1.16
Python version: [version here]
python3 --version
Python 3.8.10
Database version (if applicable): [version here]
Use
psql --version
ormysql --version
on client and server.operating system and version: [OS here]
opensuse tumbleweed
systemctl --version
systemd 246 (246.13+suse.105.g14581e0120)
+PAM +AUDIT +SELINUX -IMA +APPARMOR -SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified
update, I noticed that there is a subprocess being spawned:
/usr/bin/systemd-tty-ask-password-agent --watch
which only appears to happen when running as a systemd service
recommended systemd unit file for the service was too restrictive, it looks like, finally managed to get it
Glad to hear you've got it sorted out now!