From 3a1cd8464ed8c5e10fa5454650c9fb35ba524b49 Mon Sep 17 00:00:00 2001 From: librelad Date: Sat, 23 May 2026 18:23:03 +0100 Subject: [PATCH] fix(backup): make captured file staging readable by the backup user The container capture preserved the app's ownership (e.g. www-data 0640), so restic still hit permission denied on the staging copy. chown the staging tree to the backup user after capture (modes unchanged, so the owner reads fine); real ownership is reapplied from the descriptor on restore. Co-Authored-By: Claude Opus 4.7 Signed-off-by: librelad --- scripts/backup/files/backup_files.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/scripts/backup/files/backup_files.sh b/scripts/backup/files/backup_files.sh index c134507..4a377f9 100644 --- a/scripts/backup/files/backup_files.sh +++ b/scripts/backup/files/backup_files.sh @@ -78,6 +78,13 @@ backupFilesCapture() mkdir -p "$stage" # Read in the container's namespace, write the plain tree to staging. if docker exec "$container" tar -C "$cpath" -cf - . 2>/dev/null | tar -xf - -C "$stage" 2>/dev/null; then + # The capture preserves the app's ownership (e.g. www-data, 0640), + # which the backup user still couldn't read. Hand the staging tree to + # the backup user so restic can read it; modes are unchanged, so the + # owner can now read everything. Real ownership is reapplied from the + # descriptor on restore. + chown -R "$docker_install_user":"$docker_install_user" "$stage" 2>/dev/null \ + || sudo chown -R "$docker_install_user":"$docker_install_user" "$stage" 2>/dev/null isSuccessful "captured $subdir ($(du -sh "$stage" 2>/dev/null | cut -f1))" else isError "capture of $subdir from $container failed"