diff --git a/scripts/docker/command/run_privileged.sh b/scripts/docker/command/run_privileged.sh index 9f364b2..53d7a80 100644 --- a/scripts/docker/command/run_privileged.sh +++ b/scripts/docker/command/run_privileged.sh @@ -82,8 +82,13 @@ runInstallWrite() { # password and BORG_/RESTIC_/KOPIA_ env vars reach the tool. Never root — the # scoped sudoers lets the manager drop to this user. Single funnel so the # backup subsystem's privilege drop has one audit point. +# -H resets HOME to the target user's so restic finds (or creates) its cache +# under /home/$docker_install_user/.cache/restic instead of inheriting the +# manager's HOME (which dockerinstall can't write into, surfacing as +# "unable to open cache: mkdir /home/libreportal/.cache/restic: permission denied" +# on every backup). runBackupOp() { - sudo -E -u "$docker_install_user" "$@" + sudo -E -H -u "$docker_install_user" "$@" } # Run one of the ROOT-OWNED LibrePortal helpers installed (root:root 0755) under