Gå til hovedinnhold
Jottacloud CLI and permissions on Linux

This article will try to solve the scenario of jotta-cli not having access to the files you want to back up

Oppdatert for over 3 måneder siden

For an introduction to permissions on Linux in general, Digital Ocean has an
excellent article on this
.

Overview

Jottacloud CLI consist of two parts, the cli and a daemon. The daemon is called
jottad. jottad is the component that will read/write your uploads and
downloads, communicate with Jottacloud and do authentication.

By default when installing jotta-cli on RPM- and DEB-based distributions, the
daemon jottad will be run as both a user and group named jottad.

Because this daemon is running as this created user, jottad will not have
access to any files without world read or write permissions.

One solution to this is to open up the permissions for the files and folder you
want to back up to be world read- and writeable. This is not recommended.

A better solution is to make sure only jottad has read and write access to these files.

You can achieve this by using groups.

Using groups can be done in two different ways

  1. Adding your user to the group jottad and changing group owner to jottad
    Benefit: jottad only having access to what you want to back up
    Disadvantage: having to change groups every time you want to backup something new

  2. Running jottad as your own user-group
    Benefit: jottad having access to all your files
    Disadvantage: jottad having access to all your files

First solution

  • Add your user to the jottad group: usermod -a -G jottad <username>

  • For every folder you want to back up, change group owner to jottad:
    chgrp jottad /home/<username>/folder_to_backup

  • You may also need to adjust the permissions of the folder:
    chmod g+w /home/<username>/folder_to_backup

$ jotta-cli add /home/<username>/folder_to_backup
ERROR: stat /home/<username>/folder_to_backup: permission denied.
$ chgrp jottad /home/<username>/folder_to_backup
$ jotta-cli add /home/<username>/folder_to_backup
OK

Second solution

What to do here depends on what kind of init-system your OS is using.

  • upstart:
    Open /etc/init/jottad and set setgid to your group name and change umask to 002 (if your file does not contain setgid , edit the line chroot --userspec jottad:jottad instead, editing the seconds jottad to your group: chroot --userspec jottad:<group> ).
    Restart jottad with the command restart jottad

  • sysvinit:
    Open /etc/init.d/jottad and edit the line group="jottad" to your group.
    Add umask=002 after the line nice="".
    Restart jottad with the command /etc/init.d/jottad restart.

  • systemd:
    Add an override for the systemd service using systemctl edit jottad and enter the following (substituting <group> with your group name):

[Service]
Group=<group>
UMask=0002

Reload the systemd unit files with the command systemctl daemon-reload.
Restart jottad with the command systemctl restart jottad.

Please note that user-group inheritance does not necessarily work as with a shell with systemd. Make sure that the group you are running the service as is the actual group owner for the directories you want to back up. Alternatively consider using SupplementaryGroups.

Making sure the group can access folders and files

Using the solutions over will result in jottad being able to read, write and execute files owned by selected group, but the files and folders themselves will still have to be group read, write and executable. All folder will need the read and execute permission to enter and list contents, and all files should have a minimum of read permission. To understand more of how permissions work on Linux, refer to mentioned Digital Ocean article.

Example: set recommended permissions for a backup folder

$ # Find all folders in the folder to backup and make them executable by the group
$ find /home/<username>/folder_to_backup -type d -exec chmod g+x {} \;
$ # Set all files and folder to group readable
$ chmod -R g+r /home/<username>/folder_to_backup

NB: All parent folders of the folder you add to the back up will also need read and execute permission, for the example over this would be /home and /home/<username>.

Svarte dette på spørsmålet?