When doing partial backups (e.g., /etc, /home, /data), is it better to create a dedicated user for backups or to use the root user?<p>Currently, I'm using a dedicated user with ACL permissions, but I've run into two issues:<p>1. Some files, like the private keys in /etc/ssh, need to have permissions set to 600. Forcing ACLs changes permissions to 640, making SSH login impossible.<p>2. After setting ACL permissions on a directory, newly added files don't retain those ACL permissions.<p>Using the root user seems to provide excessive permissions. How do you handle this in your practice?
I use a dedicated backup user, and setfacl does allow inheritance of its acl on newly created things. I can't look it up now but I'm sure a Google search will find it. It can also prevent the 640 as well because those acls are different than the normal mask.<p>I think what you might be doing is applying a group acl instead of a user acl. In my setup I use normal Unix group permissions for some things, acls that apply group permissions for most things, but for homes I put my backup account as acl user permissions for read.<p>Could you use root? Sure, but you would need to evaluate the risk in that. As root is "do all the things" account. The backup account can still read all the things so you still have data loss exposure but it can't modify the things.
most backup programs run with root or at the targets own user.
There is the possibility to circumvent the permission checks: capabilities.
the provide parts of the root user to unprivileged processes, in your case CAP_DAC_READ_SEARCH should be enough for the backup process itself. for restore it would need a bumch of caps set, like CAP_DAC_OVERRIDE, CAP_CHOWN and maybe more