Kopia Capabilities Pacman Post-Transaction Hook


I like to have Kopia backup everything on /, and I don’t like having permission denied errors.

Linux Capabilities!

New Problem:
Linux Capabilities will break upon upgrading Kopia.

Pacman Post Transaction Hook!

sudo nano /etc/pacman.d/hooks/kopia-post.hook

Type = Package
Operation = Install
Operation = Upgrade
Target = *

Description = Set Capacity to Kopia to allow non-root backup permissions
When = PostTransaction
Exec = /usr/bin/setcap cap_dac_read_search=+ep /usr/bin/kopia

You’ll want Kopia to only be upgraded by your package manager, or you’ll break capabilities again.
sudo rm /root/.config/kopia/repository.config.update-info.json

I hope this is helpful to someone out there, and I hope others can port it to all the other distros/BSD/macOS/Windows and their respective package managers.

Thanks for this. What is the security implication for this? Can any user read all files using kopia after that?

Yes that’s the case, any user can read all files without sudo. It’s the binary that is given the capability.

Then it is probably not very smart advice (at least without mentioning this caveat). Why not use capsh instead?

What’s the benefit of capsh over setcap?

At this point I cannot edit my OP to include any warnings.

What’s the benefit of capsh over setcap?

Wouldn’t capsh allow you to run any command with capabilities but without setting the capabilities permanently?

At this point I cannot edit my OP to include any warnings.

Hopefully users read more than the OP :slight_smile:

You can also do the same thing with Monit, then it wont matter how you update Kopia, just that the path stays the same. Monit can perform various checks and take action or send alerts. With some extra scripts it can check and set capabilities. I used this on Node-Red for a time.

Check configuration in monitrc
Works as if /opt/scripts/monit-node-getcap.sh returns a non-zero exit status, execute /opt/scripts/monit-node-setcap.sh

check program nodered-capabilities with path /opt/scripts/monit-node-getcap.sh
     if status != 0 then exec /opt/scripts/monit-node-setcap.sh


set -x

sudo setcap 'cap_net_raw,cap_net_admin+eip' $(readlink -f $(which node))
exit $?


set -x

getcap $(readlink -f $(which node)) | grep -w "cap_net_admin,cap_net_raw+eip"
exit $?