Kopia utilise SeBackupPrivilege on win32 to bypass NTFS ACLs

I wonder if there is a chance of Kopia using the win32 SeBackupPrivilege to bypass NTFS ACLs ?

It’s quite common for users to alter the permissions tab of files on shared network drives. Admin teams may want to restrict access to a folder, but they rarely consider making sure the Administrator user still has access. This can mean the user running kopia from the file server may not have access to those files and folder as well.

This is overcome in Robocopy with a ‘Backup Mode’ operation.

A description of this is copied from a superuser.com post below:

Backup mode is a way to read and write files ignoring any permissions problems.

It uses the SeBackupPrivilege (reading) and SeRestorePrivilege (writing) in order to read/write any and all files, disregarding any ACEs that would prevent you from reading or writing a file.

Normally when trying to copy or access a file, Windows performs a check to make sure you have permission to read or write to location, but with SeBackupPrivilege (granted to the Backup Operators and Administrators groups by default), and SeRestorePrivilege (also granted to the Backup Operators and Administrators groups by default), these checks are bypassed.

On domain controllers, the mentioned user rights are also available to the Server Operators group.

From the documentation for SeBackupPrivilege

This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This user right is effective only when an application attempts access through the NTFS backup application programming interface (API) through a backup tool such as NTBACKUP.EXE. Otherwise, standard file and directory permissions apply.

This user right is similar to granting the following permissions to the user or group you have selected on all files and folders on the system:

  • Traverse Folder/Execute File
  • List Folder/Read Data
  • Read Attributes
  • Read Extended Attributes
  • Read Permissions

From the documentation on SeRestorePrivilege:

This security setting determines which users can bypass file, directory, registry, and other persistent object permissions when they restore backed up files and directories, and it determines which users can set valid security principals as the owner of an object.

Granting this user right to an account is similar to granting the account the following permissions to all files and folders on the system:

  • Traverse folder / execute file
  • Write

To check if your account has these privileges, you can run the command whoami /priv at a command prompt.

Hmm I see that mounting a VSS snapshot fixes this (and other issues), but I can’t seem to get the example scripts to work, and my own batch / wmic scripts aren’t working. I’ll keep trying :slight_smile:

I got the example VSS powershell scripts to work fine. ignore me :slight_smile:

Out of curiosity, did you have the modify the scripts or the ones on kopia.io worked without changes? If the former, do you mind sharing?

Hi. They worked without modification. For some reason though, when I was testing from a command-prompt, the command-prompt window would disappear, and I didn’t realise it had worked, was creating and mounting a snapshot (in kopia home dir/random-id), and that kopia continued to run in the background. I also wasn’t very clear on the idea that KOPIA_SNAPSHOT_PATH causes Kopia to read from a different location than the actual source path, so I was a bit unsure it was actually using the snapshot and that the scripts worked/were valid.

I originally tried my own batch files, which I have used successfully with 7-zip to zip up in-use files, but it wouldn’t work with Kopia. Kopia gave a readSymlink or readDir error when trying to snapshot E:\ShadowCopy, where I had mounted the VSS shadow copy to with mklink /d.

On my other system (Linux), I used a script to mount the latest btrfs snapshot to a fixed directory, and I have Kopia snapshotting that directory. it runs the risk of the btrfs snapshot not being unmounted at the end and a new one failing to mount in its place next time around. I didn’t know about the KOPIA_SNAPSHOT_PATH thing overriding the source location. I might revisit that system, although it’s been working fine for some time.