Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve docs: Add best practice for mount and unmount in user-callback #8

Open
aryoda opened this issue Aug 15, 2022 · 4 comments
Open

Comments

@aryoda
Copy link
Contributor

aryoda commented Aug 15, 2022

I think the user-callback script in ~/.config/user-callback is called without root rights but me as user (if I have created a profile in the normal non-root Back in Time client).

It would be helpful for normal users to add an example into the docs and example script(s) which shows how to automatically mount a drive without root rights (or possible recommend "Back in Time (root)" for this use case)...

@aryoda
Copy link
Contributor Author

aryoda commented Aug 18, 2022

More background info how the backintime scheduler works (for backintime started as normal user - NOT root!):

A user crontab entry is made so that the backintime scheduler is called by the current user (NOT root):

$ crontab -l
#Back In Time system entry, this will be edited by the gui:
0 11 * * * /usr/bin/nice -n19 /usr/bin/ionice -c2 -n7 /usr/bin/backintime backup-job >/dev/null

Since mount requires root rights I could add /usr/bin/mount to to the passwordless commands in the /etc/sudoers file
for me as user (see https://stackoverflow.com/a/25215640) but this would open a possible security whole by allowing an attacker that hijacks my login to mount other
drivers without the root password.

So what is the recommended best practice to mount a backup drive in the user-callback script?

@aryoda aryoda changed the title Mount and unmount with root rights Improve docs: Add best practice for mount and unmount in user-callback Aug 20, 2022
@aryoda
Copy link
Contributor Author

aryoda commented Aug 20, 2022

I successfully ended up creating and using backup profiles in Back In Time (root) since

  • setting the SUID bit on a user-callback file for non-root BiT does not work (at least on Ubuntu which ignores the SUID bit on non-binary files like the user-callback bash script)
  • enabling NOPASSWD in sudoers for the user-callback script is a security risk
  • using a non-root mounting system for the userspace (like Gnome gio mount) may interfere with existing manual mounts (eg. different mounting points)

Any other ideas to be tested?

@aryoda
Copy link
Contributor Author

aryoda commented Aug 22, 2022

Possibly related to bit-team/backintime#1229

@buhtz
Copy link
Member

buhtz commented Sep 24, 2024

I would say this topic is to complex to be covered by user-callback docu. There are a lot of use cases when it comes to mounting. Root permissions not needed in every case.
I would say someone who is able to edit user-callback scripts should also be able to manage mounting or doing research about it.

PR backintime#1899

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants