mirror of
https://github.com/restic/restic.git
synced 2025-10-11 03:12:38 +00:00
Daniel Gröber
committed by
Michael Eischer
Michael Eischer
parent
71c653f9e0
commit
f31b4f29c1
@@ -699,3 +699,56 @@ On MSYS2, you can install ``winpty`` as follows:
|
||||
|
||||
$ pacman -S winpty
|
||||
$ winpty restic -r /srv/restic-repo init
|
||||
|
||||
|
||||
Group accessible repositories
|
||||
*****************************
|
||||
|
||||
Since restic version 0.14 local and SFTP repositories can be made
|
||||
accessible to members of a system group. To control this we have to change
|
||||
the group permissions of the top-level ``config`` file and restic will use
|
||||
this as a hint to determine what permissions to apply to newly created
|
||||
files. By default ``restic init`` sets repositories up to be group
|
||||
inaccessible.
|
||||
|
||||
In order to give group members read-only access we simply add the read
|
||||
permission bit to all repository files with ``chmod``:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ chmod -R g+r /srv/restic-repo
|
||||
|
||||
This serves two purposes: 1) it sets the read permission bit on the
|
||||
repository config file triggering restic's logic to create new files as
|
||||
group accessible and 2) it actually allows the group read access to the
|
||||
files.
|
||||
|
||||
.. note:: By default files on Unix systems are created with a user's
|
||||
primary group as defined by the gid (group id) field in
|
||||
``/etc/passwd``. See `passwd(5)
|
||||
<https://manpages.debian.org/latest/passwd/passwd.5.en.html>`_.
|
||||
|
||||
For read-write access things are a bit more complicated. When users other
|
||||
than the repository creator add new files in the repository they will be
|
||||
group-owned by this user's primary group by default, not that of the
|
||||
original repository owner, meaning the original creator wouldn't have
|
||||
access to these files. That's hardly what you'd want.
|
||||
|
||||
To make this work we can employ the help of the ``setgid`` permission bit
|
||||
available on Linux and most other Unix systems. This permission bit makes
|
||||
newly created directories inherit both the group owner (gid) and setgid bit
|
||||
from the parent directory. Setting this bit requires root but since it
|
||||
propagates down to any new directories we only have to do this priviledged
|
||||
setup once:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# find /srv/restic-repo -type d -exec chmod g+s '{}' \;
|
||||
$ chmod -R g+rw /srv/restic-repo
|
||||
|
||||
This sets the ``setgid`` bit on all existing directories in the repository
|
||||
and then grants read/write permissions for group access.
|
||||
|
||||
.. note:: To manage who has access to the repository you can use
|
||||
``usermod`` on Linux systems, to change which group controls
|
||||
repository access ``chgrp -R`` is your friend.
|
||||
|
||||
Reference in New Issue
Block a user