Running storebackup without root

storebackup can quite easily oveload the computer CPU or completely fill the memory leading to OOM if run as root as no limits on the process are enforced.

It is rather better to run in the user backup to regulate the process. We do this by allowing the backup user to perform some elevated activities and maybe with some alteration to storebackup code to cope with this change.

For your /etc/security/capability.conf

cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid    backup

Then /etc/pam.d/su modified to put auth required at the beginning.

Now we allow the programs that storebackup needs to work to use these capabilities when they are launched by the backup user. Note there is not +eip so elevated access should only be usable when sets the access.

We avoided setting it on bash as it breaks fakeroot and we could not then build debian packages. This is done in the cronjob that starts storebackup before switching to user backup and then starting storebackup.

for N in perl cp cat tar rm bzip2 mknod chown mkdir md5sum rmdir mount grep pod2text
        setcap cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid+ei `which $N`

With capability storebackup should not check if permissions let it read file, just go on and read them, because it can. A small modification is needed:

--- /usr/share/storebackup/lib/       2012-03-04 07:45:54.000000000 +0000
+++ /usr/share/storebackup/lib/       2015-02-07 00:53:40.000000000 +0000
@@ -772,6 +771,0 @@
-       unless (-r $entry)
-       {
-           $prLog->print('-kind' => $prLogWarn,
-                         '-str' => ["no permissions to read <$entry>"]);
-           next;
-       }

Finally we can edit /etc/cron.daily/storebackup to start storebackup nightly as user backup and maybe nice the process and set limits on RAM consumption. Also saveRAM=yes is also good for the storebackup job files.

if ! > "${tmplog}" 2>&1 su backup -c 'chrt -i 0 ionice -t -c3 /usr/bin/perl /usr/bin/storeBackup -f '"${file}"

Hopefully storebackup now finds it can do the activities it needs to do, and can also be monitored in top as it works protecting the data.