From 537d107b6c2d6bd9f9ab58350af2baf0cdf0fd2c Mon Sep 17 00:00:00 2001 From: Michael Eischer Date: Sat, 6 Sep 2025 19:15:03 +0200 Subject: [PATCH] docs: use absolute permissions for group accessible repositories --- doc/030_preparing_a_new_repo.rst | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/doc/030_preparing_a_new_repo.rst b/doc/030_preparing_a_new_repo.rst index 6adfe63b2..67e478718 100644 --- a/doc/030_preparing_a_new_repo.rst +++ b/doc/030_preparing_a_new_repo.rst @@ -798,12 +798,13 @@ permission bit to all repository files with ``chmod``: .. code-block:: console - $ chmod -R g+rX /srv/restic-repo + $ find /srv/restic-repo -type f -exec chmod 440 '{}' \; + $ find /srv/restic-repo -type d -exec chmod 750 '{}' \; This serves two purposes: 1) it sets the read permission bit on the repository config file triggering restic's logic to create new files as group accessible and 2) it actually allows the group read access to the -files. +files and directories. .. note:: By default files on Unix systems are created with a user's primary group as defined by the gid (group id) field in @@ -818,15 +819,15 @@ access to these files. That's hardly what you'd want. To make this work we can employ the help of the ``setgid`` permission bit available on Linux and most other Unix systems. This permission bit makes -newly created directories inherit both the group owner (gid) and setgid bit -from the parent directory. Setting this bit requires root but since it -propagates down to any new directories we only have to do this privileged -setup once: +newly created directories or files inherit both the group owner (gid) and +setgid bit (only for directories) from the parent directory. Setting this +bit requires root but since it propagates down to any new directories we +only have to do this privileged setup once: .. code-block:: console - $ chmod -R g+rX /srv/restic-repo - $ find /srv/restic-repo -type d -exec chmod g+sw '{}' \; + $ find /srv/restic-repo -type f -exec chmod 440 '{}' \; + $ find /srv/restic-repo -type d -exec chmod 2770 '{}' \; This sets the ``setgid`` bit on all existing directories in the repository and then grants read/write permissions for group access.