amorfo77/restic
1
0
Fork 0
mirror of https://github.com/restic/restic.git synced 2026-04-11 15:48:51 +00:00
Code Issues Projects Releases Wiki Activity

docs: add warning for capability-based non-root backups

Browse Source
This commit is contained in:
fabien-joubert
2025-12-27 22:38:16 +01:00
parent 9e2d60e28c
commit 8179c4f676
1 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
doc/080_examples.rst
View File

@@ -319,6 +319,18 @@ Note that when using a systemd unit to run restic, you can use
Using file capabilities
=======================
.. warning::
Granting ``CAP_DAC_READ_SEARCH`` to the restic binary allows any process
executing that binary to bypass standard file permission checks for reading
and directory traversal. In practice, anyone who can execute this binary can
read most of the system, regardless of their user ID.
Ensure that only a dedicated backup user (and root) can execute the
capability-enabled restic binary, and treat that account as highly privileged.
See: `capabilities(7) <https://man7.org/linux/man-pages/man7/capabilities.7.html>`_
Alternatively, the capability can be granted to a file. First we
create a new user called ``restic`` that is going to create
the backups: