Backups with capabilities

Robert Connolly robert at
Sat Apr 25 12:57:52 PDT 2009

I use rsync for local backups to an external drive. I didn't like doing this 
as root, in case my misuse of the --delete option caused me to delete my 
original files.

So instead of giving a backup user read/execute on everything I want to 
backup, I did this:

groupadd backup
useradd -g backup backup

install -m0750 -g backup /usr/bin/rsync /usr/bin/rsync-backup
setcap CAP_DAC_OVERRIDE,CAP_DAC_READ_SEARCH=ep /usr/bin/rsync-backup

Now the 'backup' user can read any file on the system, 
with /usr/bin/rsync-backup, but can't delete any file she doesn't own.

I also use the --chmod=go-rwx option with rsync to keep the backups a little 
more private.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <>

More information about the hlfs-dev mailing list