permission denied

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

permission denied

duplicity-talk mailing list
Hi,

I'm trying to use duplicity now to backup to a remote location where an
actual non-root user 'duplicity' (without the quotes) has been created.
This user has no permission to create directories at the root level.
Yet it seems duplicity wants to create the whole target's path anew at
every invocation. Of course this leads to a lot of 'permission denied's.

Something like this (anonymised and edited for readability):

$ duplicity -v8 --ssh-askpass /rw
par2+pexpect+scp://duplicity@<IP>//path/to/backup/directory/duplicity/home/user
blah
blah
blah
Running 'sftp  -oServerAliveInterval=15 -oServerAliveCountMax=2
duplicity@<IP>' State = sftp, Before = 'duplicity@<IP>'s'
State = sftp, Before = 'Connected to <IP>' sftp command: 'mkdir
"/path"'
State = sftp, Before = 'mkdir "/path"
Couldn't create directory: Failure'
sftp command: 'cd "/path"'
State = sftp, Before = 'cd "/path"'
sftp command: 'mkdir "to"'
State = sftp, Before = 'mkdir "to"
Couldn't create directory: Failure'
etc
etc

It appears to me that duplicity requires remote-root rights by trying
to create the remote path.

Is there a possibility to tell duplicity to just *check* whether the
path exists and to only create (mkdir) the parts that don't (yet)
exist?

Then the administrator can create a 'zone' for duplicity to work in
and where it can have rights to create directories, without having
to expose the root of the drive to a non-root deserving external user.


Harry

_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk
Reply | Threaded
Open this post in threaded view
|

Re: permission denied

duplicity-talk mailing list
On 16.05.2017 11:06, harry via Duplicity-talk wrote:

> Hi,
>
> I'm trying to use duplicity now to backup to a remote location where an
> actual non-root user 'duplicity' (without the quotes) has been created.
> This user has no permission to create directories at the root level.
> Yet it seems duplicity wants to create the whole target's path anew at
> every invocation. Of course this leads to a lot of 'permission denied's.
>
> Something like this (anonymised and edited for readability):
>
> $ duplicity -v8 --ssh-askpass /rw
> par2+pexpect+scp://duplicity@<IP>//path/to/backup/directory/duplicity/home/user
> blah
> blah
> blah
> Running 'sftp  -oServerAliveInterval=15 -oServerAliveCountMax=2
> duplicity@<IP>' State = sftp, Before = 'duplicity@<IP>'s'
> State = sftp, Before = 'Connected to <IP>' sftp command: 'mkdir
> "/path"'
> State = sftp, Before = 'mkdir "/path"
> Couldn't create directory: Failure'
> sftp command: 'cd "/path"'
> State = sftp, Before = 'cd "/path"'
> sftp command: 'mkdir "to"'
> State = sftp, Before = 'mkdir "to"
> Couldn't create directory: Failure'
> etc
> etc
>
> It appears to me that duplicity requires remote-root rights by trying
> to create the remote path.
>
> Is there a possibility to tell duplicity to just *check* whether the
> path exists and to only create (mkdir) the parts that don't (yet)
> exist?

probably, it's just nobody implemented that yet.

the backend simply tries to mkdir to make sure the folder needed is there. usually that's not an issue. do these "errors" also show up when not using extra verbosity?
 
> Then the administrator can create a 'zone' for duplicity to work in
> and where it can have rights to create directories, without having
> to expose the root of the drive to a non-root deserving external user.
>

you may want to try the lftp+sftp:// backend, which has a test for folder and create only if missing routine. it needs lftp installed, which uses the cmd line ssh binaries internally.

..ede/duply.net


_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk
Reply | Threaded
Open this post in threaded view
|

Re: permission denied

duplicity-talk mailing list
On Tue, 16 May 2017 11:38:53 +0200
"edgar.soldin--- via Duplicity-talk" <[hidden email]> wrote:

> On 16.05.2017 11:06, harry via Duplicity-talk wrote:
> > Hi,
> >
> > I'm trying to use duplicity now to backup to a remote location
> > where an actual non-root user 'duplicity' (without the quotes) has
> > been created. This user has no permission to create directories at
> > the root level. Yet it seems duplicity wants to create the whole
> > target's path anew at every invocation. Of course this leads to a
> > lot of 'permission denied's.
> >
> > Something like this (anonymised and edited for readability):
> >
> > $ duplicity -v8 --ssh-askpass /rw
> > par2+pexpect+scp://duplicity@<IP>//path/to/backup/directory/duplicity/home/user
> > blah
> > blah
> > blah
> > Running 'sftp  -oServerAliveInterval=15 -oServerAliveCountMax=2
> > duplicity@<IP>' State = sftp, Before = 'duplicity@<IP>'s'
> > State = sftp, Before = 'Connected to <IP>' sftp command: 'mkdir
> > "/path"'
> > State = sftp, Before = 'mkdir "/path"
> > Couldn't create directory: Failure'
> > sftp command: 'cd "/path"'
> > State = sftp, Before = 'cd "/path"'
> > sftp command: 'mkdir "to"'
> > State = sftp, Before = 'mkdir "to"
> > Couldn't create directory: Failure'
> > etc
> > etc
> >
> > It appears to me that duplicity requires remote-root rights by
> > trying to create the remote path.
> >
> > Is there a possibility to tell duplicity to just *check* whether
> > the path exists and to only create (mkdir) the parts that don't
> > (yet) exist?
>
> probably, it's just nobody implemented that yet.
>
> the backend simply tries to mkdir to make sure the folder needed is
> there. usually that's not an issue. do these "errors" also show up
> when not using extra verbosity?

The error that I get when I give the credentials of a non-root user
without verbosity is:

Attempt 1 failed. BackendException: Error running 'sftp
-oServerAliveInterval=15 -oServerAliveCountMax=2
duplicity@<IP>': Permission denied

> > Then the administrator can create a 'zone' for duplicity to work in
> > and where it can have rights to create directories, without having
> > to expose the root of the drive to a non-root deserving external
> > user.
> >
>
> you may want to try the lftp+sftp:// backend, which has a test for
> folder and create only if missing routine. it needs lftp installed,
> which uses the cmd line ssh binaries internally.

That seems to work, thanks.

Harry


> ..ede/duply.net
>
>
> _______________________________________________
> Duplicity-talk mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/duplicity-talk


_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk