Now it appears, as a sudoer XY, from VPS I can't download to my PC a backup folder content via FTP client (WinSCP in that case). Permissions thing pops up. I can enter the folder though, as a sudoer XY.
Hence, kindly, I have three questions:
what are correct, default permissions for backup folder, and its content? (I messed up a bit manually).
who should be the owner of that folder and its content, only 'openproject' or could it be any sudoer? (It's also tricky here: one set of backup is owned by me as a sudoer XY, and despite I log in via FTP as a sudoer XY I still cannot download, same message pops up).
is it possible at all to download the content of a backup folder as any other user than root?
Robinson, thanks a lot for taking the time to reply.
Backups on VPS are done via cron by root.
I have root privileges too. But for security reasons, as mentioned, root via SSH is turned off, by me. For now, I don't want to use it, as I did for years.
I used working script via WinSCP, .BAT which starts now, and then stops because of the permissions problem, I think (this script worked fine for years when I used root account to download).
I used to run this script automatically on my PC via Task Scheduler every morning, before the problem with permissions appeared:
set WINSCP_RESULT=%ERRORLEVEL% if %WINSCP_RESULT% equ 0 ( echo Success ) else ( echo Error )
exit /b %WINSCP_RESULT%
But I understand that basically, it is all about non-root-sudoer permissions: backup folder and files.
Do you know the exact chmod number which I should set up?
This is what I have got for the folder (the only possible from drop-down list owners are root and openproject):
And this is what I get for the files in the folder (the only owners available from the drop-down list are non-root-sudoer and openproject):
Do you have any ideas how to set it correctly?
I will be very grateful for any clues.
Cheers,
Piotr
Robinson Taylor wrote:
As a sudoer, you have elevated privileges to perform administrative tasks on the system, but you are not the root user. To download backup files as a sudoer, you can follow these general steps:
Open a terminal or command prompt on the system where the backup files are located.
Navigate to the directory where the backup files are stored.
Check the file permissions to ensure that the backup files are readable by the user account you are logged in as. You can use the "ls -l" command to view the file permissions.
Use the "sudo" command to execute the download command with elevated privileges. For example, if you want to download a file named "backup.tar.gz" using the "wget" command, you would run:
Enter your sudo password when prompted, if required.
Wait for the download to complete and verify that the backup file has been downloaded successfully. If you encounter any errors or permission issues while downloading the backup files as a sudoer, you may need to check the file permissions or consult with the root user or system administrator for further assistance.
Does your other way is the peer authentication method for postgres system account? Can you join public Telegram groups https://t.me/openproject_PMS and we can have a talk?
Hi <mention class="mention" data-id="65944" data-type="user" data-text="@Piotr F">@Piotr F,
Does your other way is the peer authentication method for postgres system account? Can you join public Telegram groups https://t.me/openproject_PMS and we can have a talk?
I am not entirely sure, but chances are that the openproject user might not have a password, as it should be meant to run the application and not work on the system.
Since regular backups are likely to be created by a recurring process such as cronjob, you might want to do the following:
run openproject run backup from the script, crontab, etc. that is in charge of creating regular backups
If the backups should be moved somewhere else, especially offsite, you might want to encrypt those backups first, for example with borg.
Then move to backups to a location on the host, where a non-sudo user has access and chown the backup files the non-sudo user. -> This circumvents the issue of having to know the credentials for user "openproject"
Set the authentication methods for said user the way you need to. You might want to use key-based authentication for ssh.
That is a solution that has worked for me and should work on most Linux systems "out of the box" (except for Borg, of course, which you would need to install).
Replies (7)
Robinson, thanks a lot for taking the time to reply.
Backups on VPS are done via cron by root.
I have root privileges too. But for security reasons, as mentioned, root via SSH is turned off, by me. For now, I don't want to use it, as I did for years.
I used working script via WinSCP, .BAT which starts now, and then stops because of the permissions problem, I think (this script worked fine for years when I used root account to download).
I used to run this script automatically on my PC via Task Scheduler every morning, before the problem with permissions appeared:
@echo off
"C:\Program Files (x86)\WinSCP\WinSCP.com" ^
/ini=nul ^
/command ^
"open sftp://non-root-sudoer@domain.com:port#/ -hostkey=""ssh-###"" -privatekey=""G:\path\to\keys keys SSH\key.ppk"" -passphrase=""x"" -rawsettings PingType=X AgentFwd=X AuthKI=X" ^
"cd /var/db/openproject/backup" ^
"lcd ""G:\path\to\myPC\backupfolder""" ^
"get -preservetime *" ^
"exit"
set WINSCP_RESULT=%ERRORLEVEL%
if %WINSCP_RESULT% equ 0 (
echo Success
) else (
echo Error
)
exit /b %WINSCP_RESULT%
But I understand that basically, it is all about non-root-sudoer permissions: backup folder and files.
Do you know the exact chmod number which I should set up?
This is what I have got for the folder (the only possible from drop-down list owners are root and openproject):
And this is what I get for the files in the folder (the only owners available from the drop-down list are non-root-sudoer and openproject):
Do you have any ideas how to set it correctly?
I will be very grateful for any clues.
Cheers,
Piotr
Robinson Taylor wrote:
Solved.
I should have downloaded all as openproject user.
Sorry for bothering.
Piotr
Piotr F wrote:
What is the password for openproject user?
Jeff, sorry, I don't know, I use another way to login.
I believe it is set by a user/ admin during (first?) installation.
Cheers,
Piotr
Hi Piotr F,
Does your other way is the peer authentication method for postgres system account? Can you join public Telegram groups https://t.me/openproject_PMS and we can have a talk?
Jeff Li wrote:
I am not entirely sure, but chances are that the openproject user might not have a password, as it should be meant to run the application and not work on the system.
Since regular backups are likely to be created by a recurring process such as cronjob, you might want to do the following:
openproject run backup
from the script, crontab, etc. that is in charge of creating regular backupschown
the backup files the non-sudo user. -> This circumvents the issue of having to know the credentials for user "openproject"That is a solution that has worked for me and should work on most Linux systems "out of the box" (except for Borg, of course, which you would need to install).
Hi @Jan H, and @Jeff Li,
Yes, this is one of the simplest methods.
You can set crontab to move/ copy backups to somewhere else, for example to some non-sudoer folders.
I keep this all automated, don't do anything, just turn on PC, and via script it downloads backups everyday.
Best,
Piotr
PS Jeff, sorry for not replying, no, I don't intend to go to any Telegram groups.