ensure read permission for backup user on complete $HOME (chkstat replacement for ACLs, maybe?)

I am looking for a solution to ensure read permission on a complete multi-user /home file-system for a non-root backup user (with or without remote login).

I thought about

  • chkstat, however it cannot apply ACLs
  • a chroot environment with, e.g., a read-only bind mount of /home (could be difficult to set-up)
  • bind read-only mount with modified permissions (overlayfs?)

Maybe I am just overlooking something really simple. What practical solutions should I be aware of for the above scenario?

Kind regards,

Alex

For me this sounds like doing away with the Unix/Linux security based on file ownership and permissions.
As of old, breaking through the permissions not allowed by a user for her/his file is the prerogative of the superuser (root).
As a user I would felt threatened when I would know that theses rules are broken and some other “normal” user would have read access to my files even if I blocked that.

It seems my question has not been clear enough.

=> The purpose is to have a less-than-root system user perform the backup with a minimum of permissions.

Other OS have solutions, and before I give up, I’d like to hear how high I have to jump to get this going.

Kind regards,

Alex.

Run backup program as root, use system call filter/apparmor/SElinux/systemd hardening to restrict what it can do.

systemd offers various options like ProtectSystem, ProtectHome, ReadOnlyPaths etc.

Example of (incomplete) apparmor profile

profile my-backup {
    /home/**/ rx,
    /home/**^/] r,
}

will only allow read access below /home and nothing else. Of course you will need to add access to other locations your program needs (starting probably with access to the program binary itself).

You can use AppArmorProfile directive in systemd service definition.

I did not think of AppArmor in particular, but of course this goes in the SELinux, etc. direction, which seems possible, thanks.

My issue with this type of solution is, that it feels somewhat like abusing a security measure for a functional purpose. (And it is available on certain distributions, only.)

The most direct solution would be an ACL applied for backup purposes, however there seems no way to keep users from deleting such an ACL. The most direct solution would be to run setfacl twice as root just before backup (-R -m and -R -m -d). Ugly as it seems, this may be the simplest solution, besides reverting to run everything as root, again.

Any more suggestions?

I may (probably have) misinterpreted your aim…

I have a multi user system where backup of the entire directory structure below /home is achieved for a non root privilege user simply by using rsync as such:

sudo rsync -hauv --stats --exclude **/.cache/ --exclude **/.thumbnails/ /home/ /<your destination>

obviously adjust the rsync options as needed, and use a simple script to execute the command.

I suppose strictly it’s not a true “backup” per se, but has served me well for many a year…

This falls under the category of “reverting to do everything as root”, as the rsync runs as root. it is one of the simple solutions. :wink:

OK… I clearly misinterpreted your meaning of “non-root backup user” - you don’t want your backup user to have elevated privileges under any circumstances. My mistake, I apologise.

Hopefully you will find a satisfactory solution that is not too overly complicated to implement.

No apologies necessary. After searching the net for quite some time I am reverting to ask this here, and I am glad for any reply which may point in a new direction. :slight_smile: