search

oetiker / znapzend

zfs backup with remote capabilities and mbuffer integration.
www.znapzend.org
GNU General Public License v3.0
608 stars 137 forks source link

Running ZnapZend as unprivileged user on Debian 9 (Stretch) #408

Closed Beneter closed 3 years ago

Beneter commented 5 years ago

I want to run ZnapZend as an unprivileged user on Debian 9 (Stretch). Unfortunately Debian 9 does only come with ZFS 0.6.5, which does not support delegating ZFS permissions yet (zfs allow). Therefore I am trying to use sudo for my purposes.

Solution in https://github.com/oetiker/znapzend/issues/408#issuecomment-462837867

This is my /etc/sudoers.d/znapzend:

## Cmnd alias specification
Cmnd_Alias C_ZFS_ZNAPZEND = \
  /sbin/zfs list, /sbin/zfs list *, \
  /sbin/zfs create, /sbin/zfs create *, \
  /sbin/zfs snapshot, /sbin/zfs snapshot *, \
  /sbin/zfs destroy, /sbin/zfs destroy *, \
  /sbin/zfs get, /sbin/zfs get *, \
  /sbin/zfs set, /sbin/zfs set *, \ 
  /sbin/zfs inherit, /sbin/zfs inherit *, \
  /sbin/zfs send, /sbin/zfs send *, \
  /sbin/zfs recv, /sbin/zfs recv *, \
  /sbin/zfs bookmark, /sbin/zfs bookmark *, \
  /sbin/zpool iostat, /sbin/zpool iostat *, \
  /sbin/zpool list, /sbin/zpool list *, \
  /sbin/zpool status, /sbin/zpool status *, \
  /sbin/zpool scrub, /sbin/zpool scrub *
#
## allow znapzend commands
znapzend ALL = (root) NOPASSWD: C_ZFS_ZNAPZEND

And my /lib/systemd/system/znapzend.service:

[Unit]
Description=ZnapZend - ZFS Backup System
Documentation=man:znapzend
After=zfs-import-cache.service
After=zfs-import-scan.service

[Service]
EnvironmentFile=-/etc/default/znapzend
ExecStart=/usr/bin/znapzend $ZNAPZENDOPTIONS
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
# Znapzend User
User=znapzend
Group=znapzend
# might be neccessary on low power systems
Nice=19
IOSchedulingClass=2
IOSchedulingPriority=7

[Install]
WantedBy=multi-user.target

When executing znapzend:~$ sudo zfs list it seems to work without any password.

NAME                                                 USED  AVAIL  REFER  MOUNTPOINT
backup                                                70K  7,69G    19K  /backup
tank                                                 162K  7,69G    19K  /tank
tank/test                                           19,5K  7,69G  19,5K  /tank/test

I created a znap configuration with:

root:~# zapzendzetup create --rootExec=sudo --recursive \
     SRC '10min=>1min,3day=>1hour,1month=>1day' tank \
     DST:backuptest '10min=>1min,3day=>1hour,1month=>1day' backup

But it seems like ZnapZend is not using sudo:

znapzend:~$ znapzend --noaction --debug --autoCreation
Can't exec "zfs": File or Directory not found at /usr/lib/x86_64-linux-gnu/ZnapZend/ZFS.pm line 
133.
ERROR: cannot get datasets
root:~# systemctl restart znapzend.service
root:~# journalctl -xe
znapzend[22289]: znapzend (PID=22289) starting up ...
znapzend[22289]: refreshing backup plans...
znapzend[22289]: Permission denied the ZFS utilities must be run as root.
znapzend[22289]: No backup set defined or enabled, yet. run 'znapzendzetup' to setup znapzend
systemd[1]: znapzend.service: Main process exited, code=exited, status=255/n/a

Am I misinterpreting "rootExec" here? Why isn't it stored as a ZFS attribute?

Beneter commented 5 years ago

Sorry, I already figured it out myself.

The znapzend command has a rootExec parameter itself. If I modify my last listing as following, it is working fine.

znapzend:~$ znapzend --rootExec=sudo --noaction --debug --autoCreation

For the daemon to utilize sudo I needed to create the following environment file /etc/default/znapzend as mentioned in the systemd service description above:

ZNAPZENDOPTIONS=--rootExec=sudo --autoCreation
Beneter commented 5 years ago

I will extend the Readme.md section Running by an unprivileged user in a PR soon. I think it does make sense to close the issue afterwards.

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.