Backup question,root as owner of backup file


Automatic backup and manual backup with management/ are run as root.
All backup file in home/user-data/backup belongs to root:root.

my box, for ssh has root logging not permitted, and only loggin with ssh key of the user.

So, When I do a
rsync rsync -az -e ssh box.hostname.xx:/home/user-data/backup /data/backup/MailIaBox/

I get permission denied error.

How do I solve that ?
can I change the owner of the backup files without any issue ?
Thank you

What are the permissions of each directory /home/user-data/, /home/user-data/backup/, and /home/user-data/backup/encrypted/?

drwxr-xr-x 9 user-data user-data 4096 Aug 21 2019 user-data
drwxr-xr-x 4 root root 4096 Aug 21 2019 backup
drwxr-xr-x 2 user-data root 20480 Mar 13 15:12 encrypted

If you plan to run this manually, use your normal ssh user sync with /home/user-data/backup/encrypted/. That directory contains the encrypted backup files, which are an incremental back up run every night by MiaB.

The private encryption key is stored in /home/user-data/backup/secret_key.txt, which should be downloaded and stored in a very safe place.

If you plan to set up a job to automatically sync, I recommend creating another MiaB user that is not in the sudo group and have that user download the backups.

I agree, but I need to change the group of /home/user-data/backup/encrypted/ to user-data

if it stays in the root group, I cannot rsync to it and get permission error.

So my question is, can I safely chown -R user-data:userdata encrypted ???

You can read the files just fine as the entire directory tree has r-x for all users, so that means you can copy them to your backup device, which is all that is required in most backup situations, which as best I can tell should work for your above description.

If rsync is trying to write to the directory, then I’m very unclear on what you are trying to accomplish or on what your question is.

From my home computeur, I want to back-up my mail in box server.

So, from my home computeur I do
rsync -az box.hostname.xx:/home/user-data/backup/encrypted .

I get permission error.
It seems to be because the file inside the encrypted folder are in -rw-------
encrypted$ ls -alrt
total 129744
-rw------- 1 user-data root 127045766 Mar 5 03:19 duplicity-full.20210305T021905Z.vol1.difftar.gpg
-rw------- 1 user-data root 5443192 Mar 5 03:19 duplicity-full-signatures.20210305T021905Z.sigtar.gpg
-rw------- 1 user-data root 230 Mar 5 03:19 duplicity-full.20210305T021905Z.manifest.gpg

If I change the file with permission 644 instead of 600
i get the rsync to work…
But is that the right solution ?
what if new file are created ?

So just tried, and new file are indead created with 600 permission. meaning rsync cannot read them…

What is the solution ?
how do you get your backup file with rsync ?

OK… I solved my issue :

  1. edit /etc/mailinabox.conf and change to :
  2. create /home/feydreva/mailinabox-backup/backup/
  3. move secret-key.txt to /home/feydreva/mailinabox-backup/
  4. sudo mailinabox/management/

Now all file are created by user feydreva

Now on my PC, I can do
rsync -az box.hostname.xx:/home/feydreva/mailinabox-backup/backup/encrypted /mnt/data/backup/mailinabox/
without any error, and without permission error.

Thank you,
hope it helps others too

1 Like

Have you tested this configuration for running the MiaB nightly backups? Because that file is referenced in many places.

I cannot explain why there is a difference, but my encrypted files are all 644, so I can have a different user access the files for rsync.

I vaguely recall I did make some very minor change when I configured the backups years ago. You might try just chmod 644 and the nightly MiaB backups maybe just write new files with same permissions as the previous files.

I guess not yet… will have to wait tonight ?

if you know a better way to get the backup out of the mailinbox vps, let me know :slight_smile:
i m just trying to find a “good” solution

ok :slight_smile:

So i found a better solution.

I left the /etc/mailinabox.conf unchanged, as it was by default. (because it messed up things)

To get your file from /home/user-data/backup/encrypted that are root:root with 600 permission you need to rsync as root, but with no root access it is problematic.

there is a way ! :
rsync -avz -e “ssh” --rsync-path=“sudo rsync” box.hostname.xx:/home/user-data/backup/encrypted /data/backup/MailInabox/.

You need your rsync user feydreva in my case in my PC and in the remote VPS to be able to run rsync wihtout password.
For that :

$ sudo visudo

At the end of the file :

feydreva ALL= NOPASSWD:/usr/bin/rsync

this allow the user to run sudo rsync wihout password.

This way, I can backup my remote backup file to my local mahcine without any error.

The user can sudo and do anything else to the server, so this is not a good solution. Did you try the one I suggested of changing the file permissions? I haven’t done any of your suggested solutions and my backup completes every night for years now.

the backup completes every night on the VPS, I have no issue with that.
I want the files out of the server once in a while. I will set up a crontab on my home computeur that get s them.

I tried changing the file permission, but new file are created in 600 and not 644 :confused:

user can only do sudo rsync with no password. All other sudo command will ask for password.
user as to have the ssh key to log in. I have disable other form of login to the server.
So i am not worried about security here.

rsync -azP -e 'ssh -p xxxxx' --delete /home/user/backupdir

I run this as a daily cron job from the server I want the backup stored on. I use a custom SSH port and the box’s IP address rather than the hostname. YMMV.

1 Like

So the user can sudo rsync /home/user-data/backup/secret_key.txt, correct?

That is similar to what I run. Are the file permissions of the backup files 644? Because that is what mine are, but I don’t recall whether I changed anything from default MiaB install to achieve that.

Nope they are 0600 on the MiaB server.

Okay, so somehow I configured mine to be 644, but I can’t figure out what I changed.