tighten up security on dump folder

Valantur

Active Member
Jan 7, 2019
8
7
43
40
Hi Everyone,
I noticed that the dump folder where all backups go requires and defaults to 777 permissions. Is there a way to remove the rwx permissions to "others" without disrupting Proxmox's backup jobs?
Can we specify which user on the host will be running the job that requires full access to that folder?

I tried looking for an answer on the forums but I came up a bunch of posts about backing up to an NFS folder. My question doesn't involve any network drive but a USB drive that's directly attached to my host.

Thanks,
 
On PVE, there only exists one user root, so it does not matter if the dump folder is world readable, if there is no world outside.
If you created other users, then yes, this could be a problem, but PVE uses only root.

I noticed that the dump folder where all backups go requires and defaults to 777 permissions.

How did you determine that?
 
On PVE, there only exists one user root, so it does not matter if the dump folder is world readable, if there is no world outside.
If you created other users, then yes, this could be a problem, but PVE uses only root.



How did you determine that?

If I chmod 770 the dump folder, Proxmox can't place the backups there.
Permissions are as follows:

drwxrwx--- 2 root root 12288 Jan 7 15:04 dump


And I get the error message highlighted in bold below:

INFO: starting new backup job: vzdump 109 --storage das --node server --remove 0 --compress lzo --mode snapshot
INFO: Starting Backup of VM 109 (lxc)
INFO: status = running
INFO: CT Name: tor
INFO: backup mode: snapshot
INFO: ionice priority: 7
INFO: create storage snapshot 'vzdump'
Using default stripesize 64.00 KiB.
Logical volume "snap_vm-109-disk-0_vzdump" created.
INFO: creating archive '/mnt/das/dump/vzdump-lxc-109-2019_01_07-15_04_09.tar.lzo'
INFO: tar: /mnt/das/dump/vzdump-lxc-109-2019_01_07-15_04_09.tmp: Cannot open: Permission denied
INFO: tar: Error is not recoverable: exiting now
INFO: remove vzdump snapshot
Logical volume "snap_vm-109-disk-0_vzdump" successfully removed
ERROR: Backup of VM 109 failed - command 'set -o pipefail && lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar cpf - --totals --one-file-system -p --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-file-ignored' '--warning=no-xattr-write' --one-file-system '--warning=no-file-ignored' '--directory=/mnt/das/dump/vzdump-lxc-109-2019_01_07-15_04_09.tmp' ./etc/vzdump/pct.conf '--directory=/mnt/vzsnap0' --no-anchored '--exclude=lost+found' --anchored '--exclude=./tmp/?*' '--exclude=./var/tmp/?*' '--exclude=./var/run/?*.pid' ./ | lzop >/mnt/das/dump/vzdump-lxc-109-2019_01_07-15_04_09.tar.dat' failed: exit code 2
INFO: Backup job finished with errors
TASK ERROR: job errors
 
What is mounted on /mnt/das ?

On my local filesystem the permissions are 755 and a backup of a lxc guest (unprivileged) works without problems

You could try setting a different `tmpdir` (a directory on the local filesystem) and see if that works (it seems the problem is related to the initial sync)

hope that helps
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!