Which user is reading files on client for backup

[74cmonty]

Hello!

The files on the client that are identified for backup have restricted permissions 640 and have a specific owner/group.

When I run a backup I get this error:
ERR=Permission denied.

The error message is clear, and the root cause is that the Bareos user accessing the files on the client has insufficient permissions.

Question:
Which user is reading files on client for backup?

I've tried to add user 'bareos' to the group w/o success.

THX

[Bruno Friedmann]

By default the bareos-fd user is root.
It's means two things, the bareos-fd on your installation is not using root
otherwise some special attributes have been set on those files.

ps auxw | grep bareos-fd should show you root
systemctl show bareos-fd.service should show it too (if used on decent modern
distribution)

Notice as you didn't precise it, under windows it use the system service
account. Some users (terrible under windows) remove everybody, even for system
account the right to read their file. Then you have to start training lesson
to explain to user, if you don't let the system account read your file for
backup then you have no backup :-)


--

Bruno Friedmann
Ioda-Net Sàrl www.ioda-net.ch
Bareos Partner, openSUSE Member, fsfe fellowship
GPG KEY : D5C9B751C4653227
irc: tigerfoot

openSUSE Tumbleweed
Linux 4.8.12-1-default x86_64 GNU/Linux, nvidia: 375.20
Qt: 5.7.0, KDE Frameworks: 5.28.0, Plasma: 5.8.4, kmail2 5.3.3 (QtWebEngine)

[74cmonty]

Indeed the user account for service bareos-fd is root:
ps auxw | grep bar
root 38459 0.2 0.0 170624 2988 ? Ssl Dec02 20:48 /usr/sbin/bareos-fd
bareos 79101 0.1 0.0 90000 3200 ? Ssl Nov28 26:16 /usr/sbin/bareos-sd

The OS is SLES11SP4; files on client to backup are:
ll /Backup_NewDB_BS4/data/
total 198928404
-rw-r----- 1 bs4adm sapsys 155648 Dec 7 14:42 backup_BS4_bareos-schedule-20161207_144219_databackup_0_1
-rw-r----- 1 bs4adm sapsys 100671488 Dec 7 14:42 backup_BS4_bareos-schedule-20161207_144219_databackup_1_1
-rw-r----- 1 bs4adm sapsys 83894272 Dec 7 14:42 backup_BS4_bareos-schedule-20161207_144219_databackup_2_1
-rw-r----- 1 bs4adm sapsys 202719109120 Dec 7 15:12 backup_BS4_bareos-schedule-20161207_144219_databackup_3_1

Do you see any solution to backup these files other then modifying the permissions (chmod o+r)?

[Bruno Friedmann]

> Indeed the user account for service bareos-fd is root:
> ps auxw | grep bar
> root 38459 0.2 0.0 170624 2988 ? Ssl Dec02 20:48
> /usr/sbin/bareos-fd bareos 79101 0.1 0.0 90000 3200 ? Ssl
> Nov28 26:16 /usr/sbin/bareos-sd
>
> The OS is SLES11SP4; files on client to backup are:
> ll /Backup_NewDB_BS4/data/
> total 198928404
> -rw-r----- 1 bs4adm sapsys 155648 Dec 7 14:42
> backup_BS4_bareos-schedule-20161207_144219_databackup_0_1 -rw-r----- 1
> bs4adm sapsys 100671488 Dec 7 14:42
> backup_BS4_bareos-schedule-20161207_144219_databackup_1_1 -rw-r----- 1
> bs4adm sapsys 83894272 Dec 7 14:42
> backup_BS4_bareos-schedule-20161207_144219_databackup_2_1 -rw-r----- 1
> bs4adm sapsys 202719109120 Dec 7 15:12
> backup_BS4_bareos-schedule-20161207_144219_databackup_3_1
>
> Do you see any solution to backup these files other then modifying the
> permissions (chmod o+r)?

No clear idea still from those informations.
This is the what I would investigate.

What about the top rights ?
a getfacl -R /Backup_NewDB_BS4

Also when the deny access occur, did you get any message in dmesg ?

Did the bareos-fd init script has some special flags or confined by apparmor ?

[74cmonty]

Issue fixed.

Root cause:
Source directory was a NFS mount and therefore root access failed.