... | @@ -28,21 +28,44 @@ Note: all system paths and parameters in this HOWTO are fictional. |
... | @@ -28,21 +28,44 @@ Note: all system paths and parameters in this HOWTO are fictional. |
|
To securely copy the public key, we shall enable password authentication at remote's server file */etc/ssh/sshd_config*, and disable it after having copied the public key.
|
|
To securely copy the public key, we shall enable password authentication at remote's server file */etc/ssh/sshd_config*, and disable it after having copied the public key.
|
|
|
|
|
|
`$ ssh-copy-id -i ~/.ssh/other_key.pub user@remote-host`
|
|
`$ ssh-copy-id -i ~/.ssh/other_key.pub user@remote-host`
|
|
|
|
|
|
https://www.simplified.guide/ssh/copy-public-key
|
|
https://www.simplified.guide/ssh/copy-public-key
|
|
|
|
|
|
**2. How to run the backup command without root privilege**
|
|
**2. How to run the backup command without root privilege?**
|
|
|
|
|
|
The idea is to execute the restic binary with a backup user, aka execute a binary meant for root without being root.
|
|
The idea is to execute the restic binary with a backup user, aka execute a binary meant for root without being root.
|
|
As root we add a new user
|
|
As root we add a new user
|
|
|
|
|
|
`# useradd backupuser`
|
|
`# useradd backupuser`
|
|
|
|
|
|
*creates the new user and a group with the same name*
|
|
*creates the new user and a group with the same name*
|
|
|
|
|
|
`# chown root:backupuser /usr/bin/restic`
|
|
`# chown root:backupuser /usr/bin/restic`
|
|
|
|
|
|
*makes user root and group backupuser owners of the restic binary*
|
|
*makes user root and group backupuser owners of the restic binary*
|
|
|
|
|
|
`# chmod 750 /usr/bin/restic`
|
|
`# chmod 750 /usr/bin/restic`
|
|
|
|
|
|
*user root has now read, write, execute permissions, and users in backupuser group can execute and read the restic binary*
|
|
*user root has now read, write, execute permissions, and users in backupuser group can execute and read the restic binary*
|
|
|
|
|
|
`# setcap cap_dac_read_search=+ep ~backupuser/bin/restic`
|
|
`# setcap cap_dac_read_search=+ep ~backupuser/bin/restic`
|
|
*assigns capabilities to backup the whole system*
|
|
|
|
|
|
*extends the capabilities of backupuser to backup the whole system*
|
|
|
|
|
|
Ref: https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-system-without-running-restic-as-root
|
|
Ref: https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-system-without-running-restic-as-root
|
|
|
|
|
|
|
|
**3. How to run specific root commands by a non root user?**
|
|
|
|
*Note: we need that for stopping, checking status and starting of the lxc containers.
|
|
|
|
Best practice is to run our LXC containers rootless. This requires a different configuration of the containers' network setup, see details at
|
|
|
|
https://www.cyberciti.biz/faq/how-to-create-unprivileged-linux-containers-on-ubuntu-linux/*
|
|
|
|
|
|
|
|
Here we will give the backupuser restricted root privilege for the specific lxc commands we need to run during the backup process.
|
|
|
|
|
|
|
|
Give the backup user the access for specific commands to be executed as 'root'.
|
|
|
|
Add these commands in a new file under /etc/sudoers.d/
|
|
|
|
|
|
|
|
`vi /etc/sudoers.d/00-backupuser`
|
|
|
|
`bintibackup ALL=(ALL) NOPASSWD: /usr/bin/lxc-stop, /usr/bin/lxc-start, /usr/bin/lxc-info, /usr/bin/lxc-ls`
|
|
|
|
|
|
|
|
*https://www.cyberciti.biz/faq/linux-unix-running-sudo-command-without-a-password/*
|
|
|
|
|