Permission/ownership not preserved as root using patterns

[dominictory]

Have you checked borgbackup docs, FAQ, and open GitHub issues?

Yes

Is this a BUG / ISSUE report or a QUESTION?

QUESTION

Your borg version (borg -V).

1.2.3

Operating system (distribution) and version.

Ubuntu 20.04.6 LTS

Hardware / network configuration, and filesystems used.

2x VMs connected. Client device is a Wazuh SIEM instance, to remotely backup automatically to a backup server.

Client with Borg installed -> borg create to remote repo on remote backup server over SSH from client > borg extract on client

How much data is handled by borg?

~ 20MB

Full borg commandline that lead to the problem (leave away excludes and passwords)

As part of the automation script from the documentation, run as root:

borg create \
--filter=AME \
--list \
--stats \
--compression=zstd \
--one-file-system \
$BORG_REPO::'{hostname}-{now}' \
--patterns-from patterns.lst

Extraction of backup repo, run as root:

borg extract $BORG_REPO::repo

Describe the problem you're observing.

After a successful borg create to backup only Wazuh central components, when testing borg extract as root, permissions are not preserved on directories, as well as ownership in child directories.

Backup source:

/:
total 4216708
-rwx------   1 root root       2436 Jun  8 11:51 borg_backup_2.sh
drwxr-xr-x 123 root root      12288 Jun  7 06:05 etc
-rw-r--r--   1 root root       1762 Jun  8 11:53 patterns.lst
drwxr-xr-x  14 root root       4096 Feb 23  2022 usr
drwxr-xr-x  14 root root       4096 May 23  2022 var

patterns.lst:

R /
+ etc/filebeat
+ etc/postfix
+ etc/wazuh-indexer/certs
+ etc/wazuh-indexer/jvm.options
+ etc/wazuh-indexer/jvm.options.d
+ etc/wazuh-indexer/log4j2.properties
+ etc/wazuh-indexer/opensearch.yml
+ etc/wazuh-indexer/opensearch.keystore
+ etc/wazuh-indexer/opensearch-observability
+ etc/wazuh-indexer/opensearch-reports-scheduler
+ etc/wazuh-dashboard/certs
+ etc/wazuh-dashboard/opensearch_dashboards.yml
+ var/ossec/api/configuration
+ var/ossec/etc/client.keys
+ var/ossec/etc/sslmanager*
+ var/ossec/etc/ossec.conf
+ var/ossec/etc/internal_options.conf
+ var/ossec/etc/local_internal_options.conf
+ var/ossec/etc/rules/*.xml
+ var/ossec/etc/decoders/*.xml
+ var/ossec/etc/shared
+ var/ossec/etc/*.pem
+ var/ossec/etc/authd.pass
+ var/ossec/etc/lists
+ var/ossec/queue/agent-groups
+ var/ossec/queue/agentless
+ var/ossec/queue/agents-timestamp
+ var/ossec/queue/fts
+ var/ossec/queue/rids
+ var/ossec/queue/db
+ var/ossec/stats
+ var/ossec/var/db/agents
+ var/ossec/var/multigroups
+ var/ossec/active-response/bin
+ var/ossec/integrations
+ var/ossec/wodles
+ usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig
+ usr/share/wazuh-dashboard/config/opensearch_dashboards.keystore
+ usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
+ usr/lib/sysctl.d/wazuh-indexer.conf
+ borg_backup_2.sh
+ patterns.lst
- *
- etc/*
- etc/wazuh-indexer/*
- etc/wazuh-dashboard/*
- var/*
- var/ossec/*
- var/ossec/api/*
- var/ossec/etc/*
- var/ossec/queue/*
- var/ossec/var/*
- var/ossec/var/db/*
- var/ossec/active-response/*
- usr/*
- usr/share/*
- usr/share/wazuh-indexer/*
- usr/share/wazuh-indexer/plugins/*
- usr/share/wazuh-indexer/plugins/opensearch-security/*
- usr/share/wazuh-dashboard/*
- usr/share/wazuh-dashboard/config/*
- usr/lib/sysctl.d/*

Extracted repo:

/tmp/borg_restore/:
total 20
-rwx------ 1 root root 2413 Jun  8 11:25 borg_backup_2.sh
drwx------ 6 root root 4096 Jun  8 11:28 etc
-rw-r--r-- 1 root root 1762 Jun  8 11:02 patterns.lst
drwx------ 4 root root 4096 Jun  8 11:28 usr
drwx------ 3 root root 4096 Jun  8 11:28 var

Another example of wrong permissions, as well as ownership:

/tmp/borg_restore/var/ossec/:
total 32
drwx------ 3 root  root  4096 Jun  8 11:28 active-response
drwx------ 3 root  root  4096 Jun  8 11:28 api
drwx------ 6 root  root  4096 Jun  8 11:28 etc
drwxr-x--- 2 root  wazuh 4096 Jun  8 09:02 integrations
drwx------ 6 root  root  4096 Jun  8 11:28 queue
drwxr-x--- 5 wazuh wazuh 4096 May 23  2022 stats
drwx------ 3 root  root  4096 Jun  8 11:28 var
drwxr-x--- 7 root  wazuh 4096 Jun  2 09:27 wodles

/var/ossec/:
total 68
drwxr-x---  3 root  wazuh 4096 May 23  2022 active-response
drwxr-x---  4 root  wazuh 4096 May 23  2022 api
drwxrwx---  7 wazuh wazuh 4096 Jun  8 11:51 etc
drwxr-x---  2 root  wazuh 4096 Jun  8 09:02 integrations
drwxr-x--- 15 root  wazuh 4096 Jun  8 11:51 queue
drwxr-x---  5 wazuh wazuh 4096 May 23  2022 stats
drwxr-x---  9 root  wazuh 4096 Jun  8 11:51 var
drwxr-x---  7 root  wazuh 4096 Jun  2 09:27 wodles

I am thinking this is down to my patterns.lst not adequately backing up metadata of parent directories (/ /etc /var /usr) in order to preserve permissions/ownership. If so, how would I modify patterns.lst to include these parent directories for metadata only, and not their contents other than what I am trying to include above?

Can you reproduce the problem? If so, describe how. If not, describe troubleshooting steps you took before opening the issue.

I run the automated script manually (for testing), then create a folder in /tmp/ to host the extracted repo, all as root. I have tried adding --umask=0022 \ to the script however this did not resolve. Again I believe this is an issue with how I've made my patterns.lst, so am looking for guidance there as above.

Thanks in advance!

[ThomasWaldmann]

This is a duplicate of at least one other issues. Maybe #2438 #1751.

TLDR:

• you can not expect borg to restore something you did not back up into the archive (e.g. some parent directory with correct permissions)
• you can not expect to have "correct" metadata on something you did not extract from an archive (e.g. if borg auto-creates missing parent directories)

[ThomasWaldmann]

An easier and safer approach than what you tried is:

• to start from / and just exclude everything you know you do not want to back up
• make sure your patterns are correct (see docs) and verify with borg create --list --dry-run ...

[dominictory]

@ThomasWaldmann

Totally understood re your above points, I'm just having trouble with the patterns logic to only backup the parent directory itself and not the contents, so that the metadata is preserved leading up to the child directories I want to include.

I'm not convinced excluding everything would be easier, as I want to backup very specific files and directories, so there would be a lot to exclude. I was hoping there'd be pattern logic to just include the parent directories without their contents besides what I define as included as per my patterns.lst.

[ThomasWaldmann]

Check this for borg create --patterns-from ...:

P sh               # use sh: style patterns
R /                # start from / directory
+ home             # this would match and include the home directory fs object (== 1 fs item)
+ home/user        # this would match and include the home/user directory (== 1 fs item)
+ home/user/**     # this would match and include all files inside the home/user directory (== many)
- **               # this would match and exclude everything not explicitly and fully matched/included above

[dominictory]

Thanks Thomas.

I have adjusted the above patterns.lst to be the following:

P sh
R /
+ etc
+ etc/filebeat/**
+ etc/postfix/**
+ etc/wazuh-indexer
+ etc/wazuh-indexer/certs
+ etc/wazuh-indexer/certs/**
+ etc/wazuh-indexer/jvm.options
+ etc/wazuh-indexer/jvm.options.d
+ etc/wazuh-indexer/log4j2.properties
+ etc/wazuh-indexer/opensearch.yml
+ etc/wazuh-indexer/opensearch.keystore
+ etc/wazuh-indexer/opensearch-observability
+ etc/wazuh-indexer/opensearch-observability/**
+ etc/wazuh-indexer/opensearch-reports-scheduler
+ etc/wazuh-indexer/opensearch-reports-scheduler/**
+ etc/wazuh-dashboard
+ etc/wazuh-dashboard/certs
+ etc/wazuh-dashboard/certs/**
+ etc/wazuh-dashboard/opensearch_dashboards.yml
+ var
+ var/ossec
+ var/ossec/api
+ var/ossec/api/configuration
+ var/ossec/api/configuration/**
+ var/ossec/etc
+ var/ossec/etc/client.keys
+ var/ossec/etc/sslmanager*
+ var/ossec/etc/ossec.conf
+ var/ossec/etc/internal_options.conf
+ var/ossec/etc/local_internal_options.conf
+ var/ossec/etc/rules
+ var/ossec/etc/rules/**
+ var/ossec/etc/decoders
+ var/ossec/etc/decoders/**
+ var/ossec/etc/shared
+ var/ossec/etc/shared/**
+ var/ossec/etc/*.pem
+ var/ossec/etc/authd.pass
+ var/ossec/etc/lists
+ var/ossec/etc/lists/**
+ var/ossec/queue
+ var/ossec/queue/agent-groups
+ var/ossec/queue/agent-groups/**
+ var/ossec/queue/agentless
+ var/ossec/queue/agentless/**
+ var/ossec/queue/agents-timestamp
+ var/ossec/queue/fts
+ var/ossec/queue/fts/**
+ var/ossec/queue/rids
+ var/ossec/queue/rids/**
+ var/ossec/queue/db
+ var/ossec/queue/db/**
+ var/ossec/stats
+ var/ossec/stats/**
+ var/ossec/var
+ var/ossec/var/db
+ var/ossec/var/db/agents
+ var/ossec/var/db/agents/**
+ var/ossec/var/multigroups
+ var/ossec/var/multigroups/**
+ var/ossec/active-response
+ var/ossec/active-response/bin
+ var/ossec/active-response/bin/**
+ var/ossec/integrations
+ var/ossec/integrations/**
+ var/ossec/wodles
+ var/ossec/wodles/**
+ usr
+ usr/share
+ usr/share/wazuh-indexer
+ usr/share/wazuh-indexer/plugins
+ usr/share/wazuh-indexer/plugins/opensearch-security
+ usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig
+ usr/share/wazuh-dashboard
+ usr/share/wazuh-dashboard/config
+ usr/share/wazuh-dashboard/config/opensearch_dashboards.keystore
+ usr/share/wazuh-dashboard/data
+ usr/share/wazuh-dashboard/data/wazuh
+ usr/share/wazuh-dashboard/data/wazuh/config
+ usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
+ usr/lib
+ usr/lib/sysctl.d
+ usr/lib/sysctl.d/wazuh-indexer.conf
+ borg_backup.sh
+ patterns.lst
+ perms.lst
- **

So here I am trying to backup the parent directory objects for metadata, however when running borg create --dry-run ... it would backup objects that are not supposed to be included, for example:

- /usr/lib/modules/5.4.0-150-generic/kernel/drivers/media/platform/cadence/cdns-csi2rx.ko
- /usr/lib/modules/5.4.0-150-generic/kernel/drivers/media/platform/cadence/cdns-csi2tx.ko
- /usr/lib/modules/5.4.0-150-generic/kernel/drivers/media/platform/cadence
- /usr/lib/modules/5.4.0-150-generic/kernel/drivers/media/platform/cros-ec-cec/cros-ec-cec.ko
- /usr/lib/modules/5.4.0-150-generic/kernel/drivers/media/platform/cros-ec-cec

Are there any adjustments I need to make to the patterns?

Thanks again.

[ThomasWaldmann]

You maybe missed to include the postfix and filebeat directory items.

borg create --list --dry-run ... will output all files it encounters while recursing. The first "status" character of each output line indicates whether a file was included or excluded.

[dominictory]

Yep my mistake, have added those in now, thanks. I did run with --list also, as I saw the output above showing that those, along with many others I did not want to include, would be included if it wasn't a dry run, as filtered using --filter=- as well from the docs:

‘-’ = dry run, item was not backed up

patterns.lst now starts with:

P sh
R /
+ etc
+ etc/filebeat
+ etc/filebeat/**
+ etc/postfix
+ etc/postfix/**

Running borg create --list --dry-run --filter=- ... again, I can see it would still include everything in /etc/ /usr/ and /var/.

[ThomasWaldmann]

Is there any other recursion root given to borg outside of that pattern file, e.g. directly on the command line?

You can remove all recursion roots from the command line and just specify them in the patterns file, so you have all at one place. Considering you start at /, guess there is no need for others in your case.

[dominictory]

Just within the pattern file as per my script:

borg create \
--verbose \
--filter=- \
--list \
--stats \
--dry-run \
--compression=zstd \
--one-file-system \
$BORG_REPO::'{hostname}-{now}' \
--patterns-from=patterns.lst

[ThomasWaldmann]

moved to #7634.

for the scope of this issue: looks like you can't use that method.

[ThomasWaldmann]

Using pf: prefix only for the parent dirs makes this work as desired.

[dominictory]

Thanks Thomas, this works for my use case:

P sh
R /
+ pf:etc
+ pf:etc/filebeat
+ etc/filebeat/**
...
- **

Much appreciated 👍