Kopia Capabilities Pacman Post-Transaction Hook

mattzab · February 9, 2022, 2:16am

Hello,

Problem:
I like to have Kopia backup everything on /, and I don’t like having permission denied errors.

Solution?
Linux Capabilities!

New Problem:
Linux Capabilities will break upon upgrading Kopia.

Solution?
Pacman Post Transaction Hook!

sudo nano /etc/pacman.d/hooks/kopia-post.hook

[Trigger]
Type = Package
Operation = Install
Operation = Upgrade
Target = *

[Action]
Description = Set Capacity to Kopia to allow non-root backup permissions
When = PostTransaction
Exec = /usr/bin/setcap cap_dac_read_search=+ep /usr/bin/kopia

You’ll want Kopia to only be upgraded by your package manager, or you’ll break capabilities again.
sudo rm /root/.config/kopia/repository.config.update-info.json

I hope this is helpful to someone out there, and I hope others can port it to all the other distros/BSD/macOS/Windows and their respective package managers.

kopanla · February 10, 2022, 6:30am

Thanks for this. What is the security implication for this? Can any user read all files using kopia after that?

mattzab · February 10, 2022, 4:02pm

Yes that’s the case, any user can read all files without sudo. It’s the binary that is given the capability.

kopanla · February 14, 2022, 4:40am

Then it is probably not very smart advice (at least without mentioning this caveat). Why not use capsh instead?

mattzab · February 14, 2022, 4:50am

What’s the benefit of capsh over setcap?

At this point I cannot edit my OP to include any warnings.

kopanla · February 14, 2022, 5:12am

What’s the benefit of capsh over setcap?

Wouldn’t capsh allow you to run any command with capabilities but without setting the capabilities permanently?

At this point I cannot edit my OP to include any warnings.

Hopefully users read more than the OP

seized · February 26, 2022, 11:03pm

You can also do the same thing with Monit, then it wont matter how you update Kopia, just that the path stays the same. Monit can perform various checks and take action or send alerts. With some extra scripts it can check and set capabilities. I used this on Node-Red for a time.

Check configuration in monitrc
Works as if /opt/scripts/monit-node-getcap.sh returns a non-zero exit status, execute /opt/scripts/monit-node-setcap.sh

check program nodered-capabilities with path /opt/scripts/monit-node-getcap.sh
     if status != 0 then exec /opt/scripts/monit-node-setcap.sh

/opt/scripts/monit-node-setcap.sh

#!/bin/bash
set -x

sudo setcap 'cap_net_raw,cap_net_admin+eip' $(readlink -f $(which node))
exit $?

/opt/scripts/monit-node-getcap.sh

#!/bin/bash
set -x

getcap $(readlink -f $(which node)) | grep -w "cap_net_admin,cap_net_raw+eip"
exit $?

Topic		Replies	Views
Problem enabling actions on server General Topics	2	362	April 21, 2023
Kopia v0.9.0-rc1 is released Announcements	7	1002	October 1, 2021
[Important] Impact of codecov.io security issue on Kopia build pipeline Announcements	2	570	April 17, 2021
Kopia UI as root General	12	2236	February 23, 2024
Kopia v0.11.0 has been released Announcements	2	584	July 5, 2022

Kopia Capabilities Pacman Post-Transaction Hook

Related Topics