Snapshots do not have ACL applied

[tblancher]

I'm running snapper 0.10.2-2 on Arch Linux, on kernel 5.18.10, with CONFIG_BTRFS_FS_POSIX_ACL=y compiled into the kernel (Btrfs defaults to acl on when configured in the kernel). I have ALLOW_USERS and ALLOW_GROUPS set to my "backup" user and group, along with SYNC_ACL set to "yes" in my home snapper config.

/home/.snapshots definitely has the proper ACL applied:

getfacl: Removing leading '/' from absolute path names
# file: home/.snapshots
# owner: root
# group: root
user::rwx
user:backup:r-x
group::r-x
group:backup:r-x
mask::r-x
other::r-x

However, none of the snapshots do, as seen in ls -alh /home/.snapshots:

drwxr-xr-x+ 1 root root 220 Jul 16 15:01 ./
drwxr-xr-x+ 1 root root  40 Jul  2 07:49 ../
drwxr-xr-x  1 root root  32 Jan  1  2022 16437/
drwxr-xr-x  1 root root  32 Jul  1 00:00 24706/
drwxr-xr-x  1 root root  32 Jul  4 00:00 24849/
drwxr-xr-x  1 root root  32 Jul 10 00:00 25135/
drwxr-xr-x  1 root root  32 Jul 11 00:00 25182/
drwxr-xr-x  1 root root  32 Jul 12 10:10 25212/
drwxr-xr-x  1 root root  32 Jul 13 00:00 25238/
drwxr-xr-x  1 root root  32 Jul 14 00:00 25284/
drwxr-xr-x  1 root root  32 Jul 15 00:00 25331/
drwxr-xr-x  1 root root  32 Jul 16 00:00 25378/
drwxr-xr-x  1 root root  32 Jul 16 07:00 25391/
drwxr-xr-x  1 root root  32 Jul 16 08:00 25393/
drwxr-xr-x  1 root root  32 Jul 16 09:00 25395/
drwxr-xr-x  1 root root  32 Jul 16 10:00 25397/
drwxr-xr-x  1 root root  32 Jul 16 11:00 25399/
drwxr-xr-x  1 root root  32 Jul 16 12:00 25401/
drwxr-xr-x  1 root root  32 Jul 16 13:00 25402/
drwxr-xr-x  1 root root  32 Jul 16 13:01 25403/
drwxr-xr-x  1 root root  32 Jul 16 14:00 25404/
drwxr-xr-x  1 root root  32 Jul 16 14:01 25405/
drwxr-xr-x  1 root root  32 Jul 16 15:00 25406/
drwxr-xr-x  1 root root  32 Jul 16 15:01 25407/

Note no + indicating a POSIX ACL is applied to any of these subdirectories/subvolumes. This makes it difficult for the backup user to read and backup these snapshots (using Borg Backup, but the backup software for this particular problem is irrelevant). In my Borg logs I see several permission denied messages for various files in these snapshots. I do notice that snapper does not apply a default ACL to /home/.snapshots, which may be the root of the problem.

What I expect is for the read/execute bits to be allowed for the "backup" user, so I don't need to apply special ACLs to the /home subvolume, irrespective of /home/.snapshots. Is this a limitation of snapper, or the underlying Btrfs implementation?

[stefangweichinger]

@tblancher I seem to hit this issue as well. Did you solve it maybe?

[tblancher]

@stefangweichinger Unfortunately I did not. It's been nearly two years, so I had forgotten about this issue. I'm just running my Borg Backup on the client system as root, so it can read all of the snapshot and its contents.

IIRC I was trying to do this to avoid running the Borg client as root, but getting it to read everything I wanted to back up became the challenge I could not overcome. I think I ultimately gave up when my non-root backup user couldn't read the SSH host keys, and trying to set the ACL so this user could read them caused sshd to refuse to start.

Out of curiosity, I'd still like to see if this is a limitation of snapper itself, or of the underlying Btrfs filesystem (or Linux VFS under that).

[aschnell]

I do not see a reason for the individual snapshots to have ACLs applied. /.snapshots needs it since it is not world readable, but the individual snapshots and directories are.

And there are of course still permissions for the individual directories and files of snapshots. And some file are not world readable for a good reason (e.g. private ssh keys). So the idea to make backups as non-root looks unfeasible.