Duplicati as a service - more complicate than it need be

On Windows I have been using a backup system, Cobain, for very many years. This runs as a service with Windows Shadowing ensuring that all open files are backed up. I am evaluating Duplicati as a replacement for Cobian and was initially very pleased to discover that Duplicati can do this. One further testing however installation is significantly more complex than running using backups via the user account.

You have provided a tool that sets up the service but it would be so much more intuitive to include an option to run this tool as part of the installation without having to perform a manual step and then a reboot.

I have been evaluating Duplicati from two points of view. The first is as a replacement for Cobian that is more suitable for backing up Thunderbird mail files than Cobian. I am about to install it for my own purposes on my new live system. Testing has been performed in a virtual machine.

The second is to update my backup solution advice for my local computer club members where I am one if the “experts” helping/advising less experienced users. These users, whether they know it or not, have the greatest need for a simple to use and reliable backup. For the latter case I would have to write quite detailed instructions as to how to set this up. Duplcati is suitable for my own purposes but I have concerns about whether any my club members could use it successfully without a lot of support from me.

A second suggestion that applies to our club members is that most do not have a local NAS storage (I do) but they do backup periodically to a USB drive. It would be perfect if Duplicati could detect the attachment if a specific USB drive to the computer and automatically run a preconfigured backup.

This is actually one of my personal wishes, and a variation of it would be to see if there’s an easy way
to at least get a user in the Administrators group elevated without a UAC prompt to answer. I’ve found workarounds such as Task Scheduler, but nothing too appealing. The other path to VSS is the service.

You can likely start the service without reboot, but that might be a small point on your main point, which surprisingly seems missing from forum feature requests although there’s a GitHub discussion below at
Duplicati Tray Icon Silently Dies with --no-hosted-server arg #3137 talking about how to monitor service, because as far as I know a service can’t interact with the user the way a user-started application can…

What would be nice would be an installer that sets up the right pieces, basically service plus a TrayIcon with –no-hosted-server, but this doesn’t work with UI passwords because TrayIcon requires DB access which it ordinarily doesn’t have (service typically runs as the SYSTEM user, denying access to ordinary).

Running as SYSTEM giving a web GUI also raises security risk, as a compromised web server is worse.
Possibly your system architect background makes you aware of such issues. See any simple solutions?

Making complex systems easy can be hard, and Duplicati has a lot of moving parts that need to interact.
It’s extremely flexible, but flexibility gets in the way of ease of use, maybe until an installer can set it all up,
but part of the widespread volunteer shortages that I mentioned is lack of expertise in Windows installers.

Duplicati Tutorial 02 Install Duplicati as a Service is a somewhat old video that I think still fits (because of lack of people to change it and ruin the fit). One can quibble about settings, but you can develop favorites.

–portable-mode as used there is one way to keep Windows version updates from wiping Duplicati config into Windows.old (then soon deleting). There are other ways (e.g. --server-datafolder) to avoid this issue.
Migrating from User to Service install on Windows is a way-too-long discussion on the Windows wipeout.

It’s best not to put multiple feature requests in a topic, because it gets hidden from users and developers.
Device mount detection (USB or otherwise) is one previous discussion, and there are likely some others.

I take your point about two suggestions in one email. I will remember in future.

I will give some thought about security risks when running as System. My first thoughts are that the service may only need to have Admin privileges but does not need full System privileges. This lowers the risk somewhat. This of course only makes a difference if you run as a Standard User as one should rather than having Admin rights as many users do. I have produced a document on this topic

Windows - you need two accounts

To answer the question more thoroughly I would need to know what privileged operations are performed and I suspect the only way to determine that is to look at the source code. I am still moving into my new laptop (trying to tidy up after many years and many transitions through various computers and trying to eliminate 20 years of accumulated junk) so I will consider looking at that in a couple of weeks. Installing Duplicati is next n my list. My evaluation was done in a VM.

In the process of tidying up I came across an archived Duplicati support thread including a post from me dated April 2013 discussing backing up locked files Presumably version 1!

That’s a bit like what I want, but I couldn’t find a less-than-ugly way to get that. Windows makes it hard, possibly because it tries to balance security and simplicity. How User Account Control works explains
how poor-but-easy practices like browsing the web as an Administrator are safer than they once were.

Actually having a service run as a non-SYSTEM user may also run into user password change issues.

Having the service run as SYSTEM tends to run into CIFS/SMB share issues getting to other systems.

Advanced Options covers this. Search for administrative or root. The usual one that trips people is
snapshot-policy because they have locked files, and Windows won’t give Duplicati access for backups.
usn-policy is likely less used because there’s less incentive. Both are confusing because Administrator accounts don’t actually get administrative privileges until a UAC prompt is answered, which adds effort.

I don’t think so. The VSS method essentially allows you to read any file on disk, which is a fairly dangerous thing.

Ideally, Duplicati would run a process with elevated privileges that can make and access the snapshots, but this is a security consideration itself (if another process can call this helper process/service, it can bypass all security features in Windows).

I agree. Sadly, even though WiX is a great improvement on MSI crafting, it is still time consuming to implement and test something basic like “if this check-box is set, then run this program as part of the install”.

If the service is running with elevated privileges, the Web GUI is essentially a web-channel into a SYSTEM service. Even without flaws in Duplicati itself, a compromised website or plugin would be able to configure and start a “backup” of sensitive data to an attacker controlled host (some protection exists, but the GUI needs to be able to do this, so it cannot be fully prevented).

I’m not so sure about that. Are you saying it does not respect access control lists? It did for me.
I made a file that only allows access for my Standard User. Duplicati as elevated Administrator:

{“ClassName”:“System.UnauthorizedAccessException”,“Message”:“Access to the path ‘\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy334\backup source\restricted file here\restricted.txt’ is denied.”,

and I wish I didn’t have to use the live log to see the reason. The job log chops off all the details:

“Warnings”: [
“2021-05-04 11:03:28 -04 - [Warning-Duplicati.Library.Main.Operation.Backup.MetadataGenerator.Metadata-MetadataProcessFailed]: Failed to process metadata for "C:\backup source\restricted file here\restricted.txt", storing empty metadata”,
“2021-05-04 11:03:28 -04 - [Warning-Duplicati.Library.Main.Operation.Backup.FileBlockProcessor.FileEntry-PathProcessingFailed]: Failed to process path: C:\backup source\restricted file here\restricted.txt”
],

I described that in a Dutch article about Duplicati.
see: Duplicati 2.0 - de basis | Rhino's place - hulp Windows, Veiligheid en TC from point 6. use DeepL to translate.

Thank you very much for such an informative document. Google translate did an excellent job of converting it into very readable English. I am due to give a presentation to my local computer club later this year and I intend to include Duplicati and especially your option for triggering a backup to a USB device. In fact, once I have Duplicati working on my new computer (my next task), I will publish a note in our members only forum.

I also provide a club members (but publicly accessible) web site intended to support our members. May I include a link to your document on that site?

My site is http://soroban.co.uk/gxcc/ - go to PC Programs … and then Backup. Duplicati will appear there soon and (hopefully) a link to your document.

At other end of the trigger is the backup end. I wonder how many drives will get pulled mid-backup?
I think some commercial backups claim to withstand that. I guess we may see how Duplicati fares.

What’s supposed to happen in current Beta is interrupted backup gets a synthetic file list uploaded
containing what was done during interrupted backup, laid on top of what was there before that one.
Backup should then continue, but not repeat work that was completely done before the interruption.

If problems start arising, this might be a good way to get some real-life examples with debug logs…

It is good that I could help. Of course you may include a link on your site. I am currently working on an additional article about Duplicati where I will go deeper into various settings such as mail processing, Duplicati as a service, filters and more.

I look forward to seeing your new document.

I have added Duplicati to my site now. I am now about to configure it on my own new laptop.

Interesting! So you are saying it is possible to create a file that is not readable from the snapshot?

Did you use an admin account to create the snapshot, and then another account to read it?
When I tested it, I used the same account to create the snapshot and read it, and it would always get full access. I did not try to specifically deny anyone access, but just accessed things from the standard users (which are not shared).

I don’t understand the question. My Duplicati.GUI.TrayIcon.exe backup made and tried to read.
This was all done as an Administrator account which is elevated at manual start and UAC like

image415×544 17.7 KB

I have not tested a lot of combinations, but the above gets me into Admnistrators group as.

I also think the VSS snapshots honor ACLs just like the live filesystem. Backup programs usually utilize SeBackupPrivilege to bypass ACL checking. If the user running Duplicati is a member of Administrators or Backup Operators, it has the ability to get this privilege token. (This is in a default Windows configuration. Technically any user can be granted the ability to get this privilege token if you edit the Local Security Policy.)

Use SeBackupPrivilege on Windows #4471 is in the Duplicati pull request queue.

Arh, that was the confusion. It looks like a user that can run VSS gets the SeBackupPrivilege by default (cannot find definitive docs stating it). But it makes sense to separate the two, and allow toggling VSS and SeBackupPrivilege individually.

I think this would make it possible to have a service with elevated privileges that can create/remove VSS snapshots, and then allow Duplicati to run with the current user privileges to perform the backup, optionally toggling SeBackupPrivilege to grant the user extra privileges.

Maybe you’re already doing this, but

The commands whoami /priv and whoami /groups are useful for examining.

A non-elevated user set up as an Administrator in settings does not get this.
They also do can’t run VSS, getting

Failed to create a snapshot: Attempted to perform an unauthorized operation.

The same user, elevated, seems like they do get SeBackupPrivilege to enable:

C:\>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Disabled
SeSecurityPrivilege                       Manage auditing and security log                                   Disabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Disabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Disabled
SeSystemProfilePrivilege                  Profile system performance                                         Disabled
SeSystemtimePrivilege                     Change the system time                                             Disabled
SeProfileSingleProcessPrivilege           Profile single process                                             Disabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Disabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Disabled
SeBackupPrivilege                         Back up files and directories                                      Disabled
SeRestorePrivilege                        Restore files and directories                                      Disabled
SeShutdownPrivilege                       Shut down the system                                               Disabled
SeDebugPrivilege                          Debug programs                                                     Disabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Disabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Disabled
SeUndockPrivilege                         Remove computer from docking station                               Disabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Disabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Disabled
SeTimeZonePrivilege                       Change the time zone                                               Disabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled

C:\>

Ok, that fits my investigations. On a default system, a user that has VSS create privileges also has SeBackupPrivilege (maybe it can be adjusted with policies).

Technically they only have the privilege when the token is enabled (it’s disabled by default). A program has to use the AdjustTokenPrivileges API to enable the privilege.

The State column on the right of my whoami /priv shows the Disabled (most) or Enabled (few) state.
Sorry for the wide line. You need to use the scrollbar to see.