fix(backup): reset HOME when dropping to the backup user in runBackupOp
runBackupOp dropped privileges to $docker_install_user with `sudo -E`,
which preserves the CALLER's environment — including HOME. The caller is
the manager (libreportal), so restic-running-as-dockerinstall ended up
with HOME=/home/libreportal and tried to mkdir
`/home/libreportal/.cache/restic` for its cache. dockerinstall can't
write into libreportal's home, so every backup ran with:
unable to open cache: mkdir /home/libreportal/.cache/restic: permission denied
twice (once in backup, once in the verify-via-scratch-restore step), with
restic falling back to a no-cache run that's a few × slower than it
should be.
Add `-H` (sudo's "reset HOME to target user's home"). Now restic sees
HOME=/home/dockerinstall, creates ~/.cache/restic there (dockerinstall
owns its own home, no help needed), and the warning is gone. Confirmed
live: a `backup app create linkding` round-trip is silent on cache, and
the dir lands at /home/dockerinstall/.cache/restic, mode 0700, correctly
owned.
All restic/borg/kopia calls funnel through runBackupOp, so this single
character fix covers every backup-tool invocation.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
parent
2fc63b154f
commit
18e692ffbb
@ -82,8 +82,13 @@ runInstallWrite() {
|
|||||||
# password and BORG_/RESTIC_/KOPIA_ env vars reach the tool. Never root — the
|
# password and BORG_/RESTIC_/KOPIA_ env vars reach the tool. Never root — the
|
||||||
# scoped sudoers lets the manager drop to this user. Single funnel so the
|
# scoped sudoers lets the manager drop to this user. Single funnel so the
|
||||||
# backup subsystem's privilege drop has one audit point.
|
# backup subsystem's privilege drop has one audit point.
|
||||||
|
# -H resets HOME to the target user's so restic finds (or creates) its cache
|
||||||
|
# under /home/$docker_install_user/.cache/restic instead of inheriting the
|
||||||
|
# manager's HOME (which dockerinstall can't write into, surfacing as
|
||||||
|
# "unable to open cache: mkdir /home/libreportal/.cache/restic: permission denied"
|
||||||
|
# on every backup).
|
||||||
runBackupOp() {
|
runBackupOp() {
|
||||||
sudo -E -u "$docker_install_user" "$@"
|
sudo -E -H -u "$docker_install_user" "$@"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Run one of the ROOT-OWNED LibrePortal helpers installed (root:root 0755) under
|
# Run one of the ROOT-OWNED LibrePortal helpers installed (root:root 0755) under
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user