-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Snapshots do not have ACL applied #737
Comments
@tblancher I seem to hit this issue as well. Did you solve it maybe? |
@stefangweichinger Unfortunately I did not. It's been nearly two years, so I had forgotten about this issue. I'm just running my Borg Backup on the client system as root, so it can read all of the snapshot and its contents. IIRC I was trying to do this to avoid running the Borg client as root, but getting it to read everything I wanted to back up became the challenge I could not overcome. I think I ultimately gave up when my non-root Out of curiosity, I'd still like to see if this is a limitation of snapper itself, or of the underlying Btrfs filesystem (or Linux VFS under that). |
I do not see a reason for the individual snapshots to have ACLs applied. /.snapshots needs it since it is not world readable, but the individual snapshots and directories are. And there are of course still permissions for the individual directories and files of snapshots. And some file are not world readable for a good reason (e.g. private ssh keys). So the idea to make backups as non-root looks unfeasible. |
I'm running snapper 0.10.2-2 on Arch Linux, on kernel 5.18.10, with CONFIG_BTRFS_FS_POSIX_ACL=y compiled into the kernel (Btrfs defaults to
acl
on when configured in the kernel). I have ALLOW_USERS and ALLOW_GROUPS set to my "backup" user and group, along with SYNC_ACL set to "yes" in my home snapper config./home/.snapshots definitely has the proper ACL applied:
However, none of the snapshots do, as seen in
ls -alh /home/.snapshots
:Note no
+
indicating a POSIX ACL is applied to any of these subdirectories/subvolumes. This makes it difficult for the backup user to read and backup these snapshots (using Borg Backup, but the backup software for this particular problem is irrelevant). In my Borg logs I see several permission denied messages for various files in these snapshots. I do notice that snapper does not apply a default ACL to /home/.snapshots, which may be the root of the problem.What I expect is for the read/execute bits to be allowed for the "backup" user, so I don't need to apply special ACLs to the /home subvolume, irrespective of /home/.snapshots. Is this a limitation of snapper, or the underlying Btrfs implementation?
The text was updated successfully, but these errors were encountered: