Fix restic password permission issue
parent
dab59943c9
commit
741ab55f05
33
manifest.jps
33
manifest.jps
|
|
@ -322,9 +322,36 @@ actions:
|
||||||
head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16 | sudo tee /etc/restic-password
|
head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16 | sudo tee /etc/restic-password
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Set the correct permissions and ownership for the password file
|
# Detect web server environment and set appropriate ownership
|
||||||
sudo chown litespeed:litespeed /etc/restic-password
|
WEB_USER=""
|
||||||
sudo chmod 640 /etc/restic-password
|
if id "litespeed" &>/dev/null; then
|
||||||
|
WEB_USER="litespeed"
|
||||||
|
elif id "nginx" &>/dev/null; then
|
||||||
|
WEB_USER="nginx"
|
||||||
|
elif id "www-data" &>/dev/null; then
|
||||||
|
WEB_USER="www-data"
|
||||||
|
elif id "apache" &>/dev/null; then
|
||||||
|
WEB_USER="apache"
|
||||||
|
else
|
||||||
|
WEB_USER="root"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Detected web server user: $WEB_USER"
|
||||||
|
|
||||||
|
# Set ownership with fallback to root
|
||||||
|
if [ "$WEB_USER" != "root" ]; then
|
||||||
|
sudo chown $WEB_USER:$WEB_USER /etc/restic-password
|
||||||
|
# Make readable by all users in case of permission issues
|
||||||
|
sudo chmod 644 /etc/restic-password
|
||||||
|
else
|
||||||
|
sudo chown root:root /etc/restic-password
|
||||||
|
sudo chmod 644 /etc/restic-password
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Ensure backup directories exist with proper permissions
|
||||||
|
sudo mkdir -p /mnt/backups
|
||||||
|
sudo chown $WEB_USER:$WEB_USER /mnt/backups
|
||||||
|
sudo chmod 755 /mnt/backups
|
||||||
|
|
||||||
# Set up log rotation for backup logs
|
# Set up log rotation for backup logs
|
||||||
echo "/var/log/backup_addon.log {
|
echo "/var/log/backup_addon.log {
|
||||||
|
|
|
||||||
|
|
@ -18,6 +18,71 @@ log_message() {
|
||||||
echo "[$(date +'%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
|
echo "[$(date +'%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Function: Get Restic Password with robust access handling
|
||||||
|
get_restic_password() {
|
||||||
|
local password=""
|
||||||
|
|
||||||
|
# Method 1: Try direct file access (works for root and litespeed users)
|
||||||
|
if [ -f "$PASSWORD_FILE" ] && [ -r "$PASSWORD_FILE" ]; then
|
||||||
|
password=$(cat "$PASSWORD_FILE" 2>/dev/null || echo "")
|
||||||
|
if [ -n "$password" ]; then
|
||||||
|
log_message "Password accessed directly from $PASSWORD_FILE"
|
||||||
|
echo "$password"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Method 2: Try sudo access (for non-root users who can sudo)
|
||||||
|
if [ "$EUID" -ne 0 ] && command -v sudo >/dev/null 2>&1; then
|
||||||
|
if sudo -n test -r "$PASSWORD_FILE" 2>/dev/null; then
|
||||||
|
password=$(sudo cat "$PASSWORD_FILE" 2>/dev/null || echo "")
|
||||||
|
if [ -n "$password" ]; then
|
||||||
|
log_message "Password accessed via sudo from $PASSWORD_FILE"
|
||||||
|
echo "$password"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Method 3: Check if running as root but password file has wrong permissions
|
||||||
|
if [ "$EUID" -eq 0 ] && [ -f "$PASSWORD_FILE" ]; then
|
||||||
|
password=$(cat "$PASSWORD_FILE" 2>/dev/null || echo "")
|
||||||
|
if [ -n "$password" ]; then
|
||||||
|
log_message "Password accessed as root from $PASSWORD_FILE"
|
||||||
|
echo "$password"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Method 4: Environment variable fallback
|
||||||
|
if [ -n "$RESTIC_PASSWORD" ]; then
|
||||||
|
log_message "Using RESTIC_PASSWORD environment variable"
|
||||||
|
echo "$RESTIC_PASSWORD"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Method 5: Check alternative locations
|
||||||
|
local alt_locations=(
|
||||||
|
"/home/jelastic/.restic-password"
|
||||||
|
"/home/litespeed/.restic-password"
|
||||||
|
"/home/nginx/.restic-password"
|
||||||
|
"/root/.restic-password"
|
||||||
|
)
|
||||||
|
|
||||||
|
for alt_file in "${alt_locations[@]}"; do
|
||||||
|
if [ -f "$alt_file" ] && [ -r "$alt_file" ]; then
|
||||||
|
password=$(cat "$alt_file" 2>/dev/null || echo "")
|
||||||
|
if [ -n "$password" ]; then
|
||||||
|
log_message "Password found at alternative location: $alt_file"
|
||||||
|
echo "$password"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
# Function: Validate dependencies
|
# Function: Validate dependencies
|
||||||
validate_dependencies() {
|
validate_dependencies() {
|
||||||
for cmd in restic; do
|
for cmd in restic; do
|
||||||
|
|
@ -28,20 +93,42 @@ validate_dependencies() {
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
# Function: Validate repository access
|
# Function: Validate repository access with robust password handling
|
||||||
validate_repository() {
|
validate_repository() {
|
||||||
if [ ! -f "$PASSWORD_FILE" ]; then
|
log_message "Attempting to access Restic repository..."
|
||||||
log_message "ERROR: Password file not found at $PASSWORD_FILE."
|
|
||||||
|
# Get password using robust method
|
||||||
|
local restic_password
|
||||||
|
if ! restic_password=$(get_restic_password); then
|
||||||
|
log_message "ERROR: Unable to access Restic password from any source."
|
||||||
|
log_message "Checked locations:"
|
||||||
|
log_message " - Primary: $PASSWORD_FILE"
|
||||||
|
log_message " - Environment: RESTIC_PASSWORD"
|
||||||
|
log_message " - Alternative locations in home directories"
|
||||||
|
log_message "Current user: $(whoami) (UID: $EUID)"
|
||||||
|
log_message "Password file permissions: $(ls -la $PASSWORD_FILE 2>/dev/null || echo 'File not found')"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
export RESTIC_PASSWORD=$(cat "$PASSWORD_FILE")
|
|
||||||
|
# Export password and repository
|
||||||
|
export RESTIC_PASSWORD="$restic_password"
|
||||||
export RESTIC_REPOSITORY="$BACKUP_REPO_PATH"
|
export RESTIC_REPOSITORY="$BACKUP_REPO_PATH"
|
||||||
|
|
||||||
|
# Test repository access
|
||||||
if ! restic snapshots &>/dev/null; then
|
if ! restic snapshots &>/dev/null; then
|
||||||
log_message "ERROR: Unable to access the Restic repository. Check password and repository path."
|
log_message "ERROR: Unable to access the Restic repository at $BACKUP_REPO_PATH"
|
||||||
|
log_message "Repository path exists: $([ -d "$BACKUP_REPO_PATH" ] && echo 'Yes' || echo 'No')"
|
||||||
|
log_message "Repository contents: $(ls -la "$BACKUP_REPO_PATH" 2>/dev/null | wc -l || echo '0') items"
|
||||||
|
|
||||||
|
# Check if repository needs initialization
|
||||||
|
if [ ! -d "$BACKUP_REPO_PATH" ] || [ -z "$(ls -A "$BACKUP_REPO_PATH" 2>/dev/null)" ]; then
|
||||||
|
log_message "Repository appears to be empty or non-existent. It may need initialization."
|
||||||
|
log_message "Run check_backup_repo.sh to initialize the repository."
|
||||||
|
fi
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
log_message "Repository access validated."
|
|
||||||
|
log_message "Repository access validated successfully."
|
||||||
}
|
}
|
||||||
|
|
||||||
# Function: Check repository stats
|
# Function: Check repository stats
|
||||||
|
|
@ -96,6 +183,9 @@ perform_integrity_check() {
|
||||||
# Main execution
|
# Main execution
|
||||||
main() {
|
main() {
|
||||||
log_message "Starting repository stats check and maintenance..."
|
log_message "Starting repository stats check and maintenance..."
|
||||||
|
log_message "Running as user: $(whoami) (UID: $EUID)"
|
||||||
|
log_message "Repository path: $BACKUP_REPO_PATH"
|
||||||
|
|
||||||
validate_dependencies
|
validate_dependencies
|
||||||
validate_repository
|
validate_repository
|
||||||
check_and_remove_stale_locks
|
check_and_remove_stale_locks
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue