Running storebackup without root

storebackup can quite easily oveload the computer CPU or completely fill the memory leading to OOM if run as root as no limits on the process are enforced.

It is rather better to run in the user backup to regulate the process. We do this by allowing the backup user to perform some elevated activities and maybe with some alteration to storebackup code to cope with this change.

For your /etc/security/capability.conf

cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid    backup

Then /etc/pam.d/su modified to put auth required at the beginning.

Now we allow the programs that storebackup needs to work to use these capabilities when they are launched by the backup user. Note there is not +eip so elevated access should only be usable when sets the access.

We avoided setting it on bash as it breaks fakeroot and we could not then build debian packages. This is done in the cronjob that starts storebackup before switching to user backup and then starting storebackup.

for N in perl cp cat tar rm bzip2 mknod chown mkdir md5sum rmdir mount grep pod2text
        setcap cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid+ei `which $N`

With capability storebackup should not check if permissions let it read file, just go on and read them, because it can. A small modification is needed:

  1. dpkg-divert --add --rename /usr/share/storebackup/lib/
  2. cp /usr/share/storebackup/lib/{.distrib,}
  3. patch -d / -r -p0
--- /usr/share/storebackup/lib/       2012-03-04 07:45:54.000000000 +0000
+++ /usr/share/storebackup/lib/       2015-02-07 00:53:40.000000000 +0000
@@ -772,6 +771,0 @@
-       unless (-r $entry)
-       {
-           $prLog->print('-kind' => $prLogWarn,
-                         '-str' => ["no permissions to read <$entry>"]);
-           next;
-       }

Instead of using cron, now like to set up a dedicated systemd units to run storebackup service unit in systemd instead of a cron initiated jobs.

Users modifying their own systems would place custom units like this in /etc/systemd/system, renaming them if desired to not clash with any builtin units, which they will override. Including a custom name in the unit can help with this.


Main service, run from a timer unit. Prefer to configure storebackup as embedded in the unit

  1. [Unit]
  2. Description=storebackup to backup the system
  3. Documentation=
  5. ConditionACPower=true
  6. ConditionPathIsMountPoint=/var/local/backups
  1. [Service]
  2. Type=simple
  3. User=backup
  4. StandardInput=null
  5. StandardOutput=journal
  6. StandardError=inherit
  8. LimitRSS=536870912
  9. LimitDATA=536870912
  10. LimitAS=536870912
  11. CPUSchedulingPolicy=idle
  12. IOSchedulingClass=idle
  13. ExecStart=-/usr/bin/perl /usr/bin/storeBackup\
  14. --sourceDir /\
  15. --backupDir /var/local/backups\
  16. --series .\
  17. --tmpdir /tmp\
  18. --includeDirs bin\
  19. --includeDirs boot\
  20. --includeDirs etc\
  21. --includeDirs home\
  22. --includeDirs lib\
  23. --includeDirs root\
  24. --includeDirs sbin\
  25. --includeDirs usr\
  26. --includeDirs var/backups\
  27. --includeDirs var/cache/apt/archives\
  28. --includeDirs var/gopher\
  29. --includeDirs var/lib\
  30. --includeDirs var/mail\
  31. --includeDirs var/opt\
  32. --includeDirs run\
  33. --includeDirs var/www\
  34. --exceptDirs var/local/backups\
  35. --exceptDirs var/lib/lxcfs\
  36. --exceptDirs run/rpc_pipefs\
  37. --exceptTypes Sbc\
  38. --keepMinNumber 100\
  39. --keepAll 30d\
  40. --keepFirstOfWeek 90d\
  41. --keepLastOfWeek 90d\
  42. --keepFirstOfMonth 360d\
  43. --keepLastOfMonth 360d\
  44. --keepFirstOfYear 720d\
  45. --keepLastOfYear 720d\
  46. --debug 0\
  47. --deleteNotFinishedDirs\
  48. --saveRAM\
  49. --cpIsGnu\
  50. --linkSymlinks\


  1. [Unit]
  2. Description=storebackup to backup the system at night
  3. Documentation=
  1. [Timer]
  2. OnCalendar=
  3. OnCalendar=*-*-* 03:13:37
  1. [Install]


Modifies capability bits, usually needs running if system is updated

  1. [Unit]
  2. Description=storebackup configure utility capabilities
  3. Documentation=
  5. ConditionACPower=true
  1. [Service]
  2. Type=simple
  3. StandardInput=null
  4. StandardOutput=journal
  5. StandardError=inherit
  6. ExecStart=-/bin/sh -c 'for N in perl cp cat tar rm bzip2 mknod chown mkdir md5sum rmdir mount grep pod2text; do echo /sbin/setcap cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid=+ei `which $N`; done;'


Tidy backups

  1. [Unit]
  2. Description=storebackup place links files
  3. Documentation=
  5. ConditionACPower=true
  1. [Service]
  2. Type=simple
  3. StandardInput=null
  4. StandardOutput=journal
  5. StandardError=inherit
  6. ExecStart=-/bin/sh -c 'for N in /var/local/backups/*.??.??_??.??.??; do if test ! -e $N/.storeBackupLinks; then mkdir -p $N/.storeBackupLinks; chown backup.backup $N/.storeBackupLinks; fi; done'

Hopefully storebackup now finds it can do the activities it needs to do, and can also be monitored in top as it works protecting the data.

Offhost backup with rsync

storebackup works well locally, but we need to also store offhost, away from server; out of room good, out of building better, though the other location also should be secure as it has personal data too.

On the server to be backed up:


  1. [Unit]
  2. Description=RSYNC Socket for Per-Connection Servers
  3. [Socket]
  4. ListenStream=873
  5. Accept=yes
  6. [Install]


  1. [Unit]
  2. Description=RSYNC systemd inet emulation.
  3. ; rsync tries /dev/log
  4. [Service]
  5. ExecStart=-/usr/bin/rsync --daemon --config /etc/rsyncd.conf
  6. StandardInput=socket
  7. IOSchedulingClass=idle
  8. OOMScoreAdjust=500
  9. CPUSchedulingPolicy=idle


  1. socket options = IPTOS_THROUGHPUT,SO_RCVBUF=0x1000000,SO_SNDBUF=0x1000000
  2. [backups]
  3. uid = root
  4. gid = root
  5. read only = yes
  6. use chroot = no
  7. path = /var/local/backups
  8. hosts allow = 2001:db8::aede:48ff:fe23:4567

On administators desktop PC

This can easily be up irregularly, if it is in a secure place preferably away from the main server with network access to it.


  1. [Unit]
  2. Description=backs up examplevia rsync
  3. [Service]
  4. #ExecStartPre=-/sbin/setcap cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid=+ei /usr/bin/rsync
  5. ExecStart=-/usr/bin/rsync -avhRPHAX --no-implied-dirs --sockopts=IPTOS_THROUGHPUT,SO_RCVBUF=0x1000000,SO_SNDBUF=0x1000000 example::backups/2* /var/local/backups
  6. User=backup
  7. PrivateTmp=true
  8. PrivateDevices=true
  9. PrivateNetwork=false
  10. ProtectSystem=true
  11. ProtectHome=true
  12. NoNewPrivileges=true
  13. #CPUSchedulingPolicy=batch
  14. #IOSchedulingClass=idle
  15. StandardInput=null
  16. StandardOutput=journal
  17. StandardError=inherit


Good to pick a time that system is likely to be up and not too busy

  1. [Unit]
  2. Description=backup example timer
  3. [Timer]
  4. Persistent=true
  5. OnCalendar=*-*-* 19:13:37
  6. [Install]

tell systemd to reload all units after edits: systemctl daemon-reload; then activate the timer job now with systemctl start backup-example.timer; and at every boot with systemctl enable backup-example.timer

To start the backup immediately; systemctl start backup-example.service; or wait for the timer job if that is active.