feat: use a dedicated user to run backup services

README.md

@@ -80,7 +80,7 @@ EOPKEY
 ```
 If you don't find the mail and you don't see the message in the log bar you can find the public_key with this command:
 ```
-cat /root/.ssh/id_restic_ed25519.pub
+cat /home/restic/.ssh/id_restic_ed25519.pub
 ```
 
 ## (Optional) set sftp jail on server B

conf/backup-with-restic.j2

@@ -14,7 +14,7 @@ if [ -f "$LOCK_FILE" ];then
   exit 1
 fi
 echo $$ > "$LOCK_FILE"
-if yunohost -v | grep "version: 2." > /dev/null; then
+if sudo yunohost -v | grep "version: 2." > /dev/null; then
   ignore_apps="--ignore-apps"
   ignore_system="--ignore-system"
 else
@@ -26,19 +26,19 @@ filter_hooks() {
 }
 
 # Backup system part conf
-conf=$(yunohost app setting {{ app }} conf)
+conf=$(sudo yunohost app setting {{ app }} conf)
 if [ $conf -eq 1 ];then
-  yunohost backup create $ignore_apps -n auto_conf --method {{ app }}_app --system $(filter_hooks conf)
+  sudo yunohost backup create $ignore_apps -n auto_conf --method {{ app }}_app --system $(filter_hooks conf)
 fi
 
 # Backup system data
-data=$(yunohost app setting {{ app }} data)
+data=$(sudo yunohost app setting {{ app }} data)
 if [ $data -eq 1 ];then
-  yunohost backup create $ignore_apps -n auto_data --method {{ app }}_app --system $(filter_hooks data)
+  sudo yunohost backup create $ignore_apps -n auto_data --method {{ app }}_app --system $(filter_hooks data)
 fi
 
 # Backup all apps independently
-apps=$(yunohost app setting {{ app }} apps)
+apps=$(sudo yunohost app setting {{ app }} apps)
 for app in $(ls /etc/yunohost/apps/*/scripts/backup | cut -d / -f 5); do
   backup_app=false
   for selected_app in $(echo $apps | tr "," " ");do
@@ -48,7 +48,7 @@ for app in $(ls /etc/yunohost/apps/*/scripts/backup | cut -d / -f 5); do
     fi
   done
   if [ "$backup_app" == "true" ];then
-    yunohost backup create $ignore_system -n auto_$app --method {{ app }}_app --apps $app
+    sudo yunohost backup create $ignore_system -n auto_$app --method {{ app }}_app --apps $app
   fi
 done
 rm "$LOCK_FILE"

conf/restic_log.j2

@@ -4,7 +4,7 @@ set -u
 invocation_id=$(systemctl show -p InvocationID --value {{ app }}.service)
 hostname=$(hostname)
 subject="YunoHost Restic backup log on ${hostname}"
-backup_results=$(/bin/journalctl _SYSTEMD_INVOCATION_ID=${invocation_id} | grep -oP '(?<=    )[a-zA-Z_-]+: \w+')
+backup_results=$(sudo /bin/journalctl _SYSTEMD_INVOCATION_ID=${invocation_id} | grep -oP '(?<=    )[a-zA-Z_-]+: \w+')
 echo ${backup_results} | grep -iqE 'error|fail'
 if [ "$?" -eq 0 ];then
   subject="${subject} (FAIL)"

conf/systemd.service

@@ -6,8 +6,8 @@ After=network.target
 Type=oneshot
 ExecStart=/usr/local/bin/backup-with-__APP__
 ExecStartPost=/opt/yunohost/__APP__/restic_log___APP__
-User=root
+User=__APP__
-Group=root
+Group=__APP__
 
 [Install]
 WantedBy=multi-user.target

conf/systemd_check.service

@@ -6,8 +6,8 @@ After=network.target
 Type=oneshot
 ExecStart=__FINALPATH__/check-__APP__
 ExecStartPost=/bin/bash -c 'echo -e "Subject: YunoHost Restic check log on $(hostname)\n$(/bin/journalctl _SYSTEMD_INVOCATION_ID=`systemctl show -p InvocationID --value __APP___check.service`)" | /usr/sbin/sendmail root'
-User=root
+User=__APP__
-Group=root
+Group=__APP__
 
 [Install]
 WantedBy=multi-user.target

conf/systemd_check_read_data.service

@@ -6,8 +6,8 @@ After=network.target
 Type=oneshot
 ExecStart=__FINALPATH__/check-__APP__ "1"
 ExecStartPost=/bin/bash -c 'echo -e "Subject: YunoHost Restic complete check log on $(hostname)\n$(/bin/journalctl _SYSTEMD_INVOCATION_ID=`systemctl show -p InvocationID --value __APP___check_read_data.service`)" | /usr/sbin/sendmail root'
-User=root
+User=__APP__
-Group=root
+Group=__APP__
 
 [Install]
 WantedBy=multi-user.target

manifest.json

@@ -6,7 +6,7 @@
     "en": "Backup your server with restic.",
     "fr": "Sauvegardez votre serveur avec restic."
   },
-  "version": "0.12.0~ynh3",
+  "version": "0.12.0~ynh4",
   "url": "https://restic.net/",
   "license": "BSD-2-Clause",
   "maintainer": {

scripts/backup

@@ -37,6 +37,7 @@ ynh_backup "/etc/systemd/system/${app}_check_read_data.timer"
 ynh_backup "/etc/yunohost/hooks.d/backup_method/05-${app}_app"
 ynh_backup "${final_path}/check_method_${app}"
 ynh_backup "${final_path}/restic_log_${app}"
-ynh_backup "/root/.ssh/id_${app}_ed25519"
+ssh_dir="/root/.ssh"
-ynh_backup "/root/.ssh/id_${app}_ed25519.pub"
+ynh_backup "${ssh_dir}/id_${app}_ed25519"
-ynh_backup "/root/.ssh/config"
+ynh_backup "${ssh_dir}/id_${app}_ed25519.pub"
+ynh_backup "${ssh_dir}/config"

scripts/install

@@ -36,6 +36,17 @@ ynh_save_args server port ssh_user backup_path passphrase on_calendar check_on_c
 ynh_script_progression --message="Installing restic binary" --weight=7
 install_restic
 
+#=================================================
+# CREATE APP USER
+#=================================================
+ynh_script_progression --message="Creating user ${app}"
+useradd -m ${app}
+ynh_script_progression --message="Configure ${app} user sudoer rights"
+cat > /tmp/${app}_sudoer << EOSUDOER
+${app} ALL = (root) NOPASSWD: /usr/bin/yunohost*, /bin/journalctl*
+EOSUDOER
+visudo -cf /tmp/${app}_sudoer && mv /tmp/${app}_sudoer /etc/sudoers.d/${app}
+
 #=================================================
 # ACTIVATE BACKUP METHODS
 #=================================================
@@ -56,6 +67,7 @@ ynh_configure check_method "${final_path}/check_method_${app}"
 ynh_script_progression --message="Setting up log script"
 ynh_configure restic_log "${final_path}/restic_log_${app}"
 chmod u+x "${final_path}/restic_log_${app}"
+chown ${app}: "${final_path}/restic_log_${app}"
 
 #=================================================
 # CONFIGURE CRON
@@ -64,6 +76,7 @@ ynh_script_progression --message="Configuring cron" --weight=5
 ynh_configure backup-with-restic "/usr/local/bin/backup-with-${app}"
 ynh_configure check-restic "${final_path}/check-${app}"
 chmod u+x "/usr/local/bin/backup-with-${app}"
+chown ${app}: "/usr/local/bin/backup-with-${app}"
 chmod u+x "${final_path}/check-${app}"
 chmod u+x "${final_path}/check_method_${app}"
 ynh_add_systemd_config --service=${app} --template=systemd.service
@@ -82,18 +95,28 @@ systemctl start ${app}.timer
 systemctl start ${app}_check.timer
 systemctl start ${app}_check_read_data.timer
 
+#=================================================
+# SET PERMISSIONS ON FINAL PATH
+#=================================================
+ynh_script_progression --message="Set permissions on ${final_path}"
+chown -R ${app}: ${final_path}
+
 #=================================================
 # GENERATE SSH KEY
 #=================================================
 ynh_script_progression --message="Generating private key"
-private_key="/root/.ssh/id_${app}_ed25519"
+ssh_dir="/root/.ssh"
+if [ ! -d "${ssh_dir}" ];then
+  mkdir -p "${ssh_dir}"
+fi
+private_key="${ssh_dir}/id_${app}_ed25519"
 test -f $private_key || ssh-keygen -q -t ed25519 -N "" -f $private_key
 
 #=================================================
 # GENERATE SSH CONFIG
 #=================================================
 ynh_script_progression --message="Generating ssh config for ${app} server ${server}"
-grep -q "${app}" /root/.ssh/config 2>/dev/null || cat << EOCONF >> ~/.ssh/config
+grep -q "${app}" ${ssh_dir}/config 2>/dev/null || cat << EOCONF >> ${ssh_dir}/config
 # begin $app ssh config
 Host ${server}
   Hostname ${server}

scripts/remove

@@ -43,5 +43,14 @@ ynh_secure_remove "${final_path}"
 #=================================================
 # REMOVE SSH CONFIG
 #=================================================
-ynh_script_progression --message="Removing ssh config" --last
+ynh_script_progression --message="Removing ssh config"
-sed -e "/begin ${app}/,/end ${app}/{/.*/d}" /root/.ssh/config -i || true
+ssh_dir="/root/.ssh"
+sed -e "/begin ${app}/,/end ${app}/{/.*/d}" ${ssh_dir}/config -i || true
+
+#=================================================
+# REMOVE USER
+#=================================================
+ynh_script_progression --message="Removing sudoers rights for user ${app}"
+rm /etc/sudoers.d/${app}
+ynh_script_progression --message="Removing ${app} user" --last
+userdel ${app}

scripts/upgrade

@@ -60,6 +60,42 @@ fi
 ynh_script_progression --message="Installing restic binary" --weight=7
 install_restic
 
+#=================================================
+# CREATE APP USER
+#=================================================
+ynh_script_progression --message="Creating user ${app}"
+id ${app} 2>/dev/null || useradd -m ${app}
+ynh_script_progression --message="Configure ${app} user sudoer rights"
+cat > /tmp/${app}_sudoer << EOSUDOER
+${app} ALL = (root) NOPASSWD: /usr/bin/yunohost*, /bin/journalctl*
+EOSUDOER
+visudo -cf /tmp/${app}_sudoer && mv /tmp/${app}_sudoer /etc/sudoers.d/${app}
+ynh_script_progression --message="Move ssh keys from root to ${app} user's home"
+ynh_script_progression --message="Generate ssh config"
+set +o errexit
+set +o nounset
+export ssh_dir="/root/.ssh"
+export private_key="${ssh_dir}/id_${app}_ed25519"
+mkdir ${ssh_dir} 2>/dev/null || true
+touch ${ssh_dir}/config
+grep -q "begin ${app}" ${ssh_dir}/config
+missing_conf="$?"
+if [ "$missing_conf" -eq "1" ];then
+  cat << EOCONF >> ${ssh_dir}/config
+  # begin $app ssh config
+  Host ${server}
+    Hostname ${server}
+    Port ${port}
+    User ${ssh_user}
+    IdentityFile ${private_key}
+    StrictHostKeyChecking no
+    UserKnownHostsFile /dev/null
+  # end $app ssh config
+EOCONF
+fi
+chown -R ${app}: /home/${app}
+
+
 #=================================================
 # ACTIVATE BACKUP METHODS
 #=================================================
@@ -80,6 +116,7 @@ ynh_configure check_method "${final_path}/check_method_${app}"
 ynh_script_progression --message="Setting up log script"
 ynh_configure restic_log "${final_path}/restic_log_${app}"
 chmod u+x "${final_path}/restic_log_${app}"
+chown ${app}: "${final_path}/restic_log_${app}"
 
 #=================================================
 # CONFIGURE CRON
@@ -88,6 +125,7 @@ ynh_script_progression --message="Configuring cron" --weight=5
 ynh_configure backup-with-restic "/usr/local/bin/backup-with-${app}"
 ynh_configure check-restic "${final_path}/check-${app}"
 chmod u+x "/usr/local/bin/backup-with-${app}"
+chown ${app}: "/usr/local/bin/backup-with-${app}"
 chmod u+x "${final_path}/check-${app}"
 chmod u+x "${final_path}/check_method_${app}"
 ynh_add_systemd_config --service=${app} --template=systemd.service
@@ -112,19 +150,18 @@ ynh_script_progression --message="End of upgrade process" --last
 # UPGRADE SSH CONFIG
 #=================================================
 
-# old versions did not have delimiters in /root/.ssh/config
+# old versions did not have delimiters in ~/.ssh/config
 # making removal in multi-instance cases break the remaining
 # instances.
 # So we need to add the delimiters if they are missing
 set +o errexit
 set +o nounset
-private_key="/root/.ssh/id_${app}_ed25519"
+grep -q "begin ${app}" ${ssh_dir}/config
-grep -q "begin ${app}" /root/.ssh/config
 missing_delimiters="$?"
 if [ "$missing_delimiters" -eq 1 ];then
   # did not find delimiters so removing old configuration
-  sed -e "/Host ${server}/,+6d" /root/.ssh/config -i || true
+  sed -e "/Host ${server}/,+6d" ${ssh_dir}/config -i || true
-  cat << EOCONF >> ~/.ssh/config
+  cat << EOCONF >> ${ssh_dir}/config
 # begin $app ssh config
 Host ${server}
   Hostname ${server}