diff --git a/scripts/backup/files/backup_files.sh b/scripts/backup/files/backup_files.sh index c134507..4a377f9 100644 --- a/scripts/backup/files/backup_files.sh +++ b/scripts/backup/files/backup_files.sh @@ -78,6 +78,13 @@ backupFilesCapture() mkdir -p "$stage" # Read in the container's namespace, write the plain tree to staging. if docker exec "$container" tar -C "$cpath" -cf - . 2>/dev/null | tar -xf - -C "$stage" 2>/dev/null; then + # The capture preserves the app's ownership (e.g. www-data, 0640), + # which the backup user still couldn't read. Hand the staging tree to + # the backup user so restic can read it; modes are unchanged, so the + # owner can now read everything. Real ownership is reapplied from the + # descriptor on restore. + chown -R "$docker_install_user":"$docker_install_user" "$stage" 2>/dev/null \ + || sudo chown -R "$docker_install_user":"$docker_install_user" "$stage" 2>/dev/null isSuccessful "captured $subdir ($(du -sh "$stage" 2>/dev/null | cut -f1))" else isError "capture of $subdir from $container failed"