Local disk credentials issue

Hello.

I’m using Duplicati - 2.0.6.3_beta_2021-06-17

I create backup configuration and working however I found issue in credentials to local folders.

I speak about user, password and check connction button:

Issue no 1.

When I create config with above credentials and next click edit the config then missing this credentials, fields are empty. Not sure credentials is saved or not. Please note in general first step credentials are available but next step no. Maybe this is connected with below more impact issue.

Issue no 2.

Floder d:\duplicati_backup have granted access to user “duplicati_user” only, PL test “zezwalj” = EN “Allow” and there is not inheritance from d:. Owner is local admin “dorotka” however tested also with owner “duplicati_user” and nothing change not work.

Also screen for confirm that this user exist and is enabled:

So when I click check connection appear this error:

Message say folder does not exist, create it? Click yes and next popup window

Access refused for above path.

But when I add my admin user “dorotka” to the dir then dir exist (has been created earlier)

After add my admin user “dorotka” to the path then duplicati working:

Please note there is still credentials for antoher user “duplicati_user” in background.

Summary:

In my opinion credentials is not working correctly here.
Can you please check this?

Best Regards.

Update. There is a bug, I just wrote some fake user and password in credentials and stay the same as last above steps this mean backup folder have admin “dorotka” and “deplicati_user” grant only for backup folder.

After this success

Can someone fix it please?

At the very least the username and password are optional and so if it doesn’t need it then it will pass regardless of those being filled in. That one is not exactly a bug and I’d say its working fine.

I don’t know if there’s anything else here. The images on another language doesn’t help. Translation is much harder. There is a possible issue I see with a USB drive and it seems to get stuck on it but that’s all I’m seeing from 2.0.6.104_canary_2022-06-15 anyway which is newer.

Welcome to the forum @oneiro

Advanced destination options lost when editing a job in the web UI #4748 might be related.
You can add auth-password and auth-username on Options screen 5 instead, but first…

Topic title Local disk credentials issue isn’t what these are for. They’re mainly SMB.
Although Windows does the connection, sometimes it needs the credentials for the server.

Local folder or drive

  • --auth-password The password used to connect to the server. This may also be supplied as the environment variable AUTH_PASSWORD.
  • --auth-username The username used to connect to the server. This may also be supplied as the environment variable AUTH_USERNAME.

For truly local use (e.g. NTFS ACLs) Duplicati runs with the credentials that it’s started with.
Does that fit the behaviors you’re seeing? Sometimes one might want it run as an elevated
Administrator, which sometimes means an annoying UAC prompt, but that’s Windows’ way.
Alternatively you can run it as a Windows service as SYSTEM or whatever user you choose.
A service is most easily set up before starting to backup, but there are also migration guides.

Migrating from User to Service install on Windows (v3 is the latest version of migration steps)
What is the objective anyway? You seem to have credentials plans in mind, but what exactly?

Hi @Xavron

Thank you for your answer. Earlier I used some old version however become from main page but I download and install pre-release version:

v2.0.6.104-2.0.6.104_canary_2022-06-15

For your comfort also set language of OS Windows and UI of Duplicati into English, hope will be more clear for you and others.

I will try again from beginning focusing on issue no 2 and first of all I have two user:

  • duplicati_user - account not assign to any group, dedicated for Duplicati resources
  • root - Administrator group member, I working into this account in Windows 10
    image

Into drive C:\ create new directory TEST_DIR and disable inheritance. For the dir access should have only “duplicati_user” as shown on below picture:

In theory other user like “root” should do not have access and indeed:

image

So I try access to the dir using dedicated user in Duplicati app:

Unfortunate do not work

However credentials working fine for “duplicati_user”
image

This is evidence that this functionality do not working.

Please note that I understood that this is optional fields but I’d like to use it due to security reason. I’d like use other user for keep my backups as functionally has been prepared. But not working correctly and kindly ask for fix.

I think you’re missing main point that your username and password don’t change Duplicati’s user.
Are you starting Duplicati as duplicati_user? This should be easy to see in Task Manager, but
could also be known from how you start Duplicati, e.g. if from login session, that’s the user it gets.

About → System info UserName field can also show what user you’re using, if it isn’t already clear.

Not at all, until you tell me which user Duplicati is using.

Hello @oneiro

My (wild) guess is that what you are trying to do is meant in Duplicati to be used with remote shared drives, not local drives.
So to connect to a remote share, the folder would have to be shared with network rights granted to the user on the share, then instead of selecting the folder in the Duplicati explorer, click on ‘Manually type path’, then enter a path as a network share, such as \yourcomputer\yourshare.

in there is

Adding a Network Connection describes how its used for Windows Networking, likely specifically SMB:

If you’re expecting it to change the Duplicati process user for you, I don’t think that’s the usage.
Please check Duplicati’s user. If it’s not duplicati_user, then that explains why ACL denies it.

I’d note that the same local disk credentials issue applies on the Source files side.
Access per ACLs depends on the user Duplicati is running as. Features that need
elevated Administrator group (e.g. VSS snapshots, says Windows) also hit this…

Solution is the same – start with right permissions for needed features and access.
Windows service as SYSTEM is very (maybe too) powerful except maybe for SMB.
Generally one wants to use the least privilege necessary, but it requires finer setup.

yes, that’s exactly what I was expecting, adding a user/password in this backend will only work with another computer share (using the local computer like it was a remote one could possibly work, but you have to create a share - I am utterly uninterested in testing this very particular use case).

Hi All.

Now understood that functionality has been prepared for CIFS/SMB but for ACL/disk rights.

Answering for questions I’m login to MS Windows using “root” user, not “duplicati_user”.

image
image
image

In theory I can run service in “duplcati_user” but

  1. What service is responsible for Duplicati app? Try found in serivces.msc for change running user but not found. So assume this is not service mode but normal app launched after login my normal user “root”? Can someone confirm below that Duplicati is normal app, not service type? If yes then I need change starting string and add "runas /user:duplicati_user… ". However it is possible run Duplicati as service?

2.If so then my idea will not work.

My aim is keep local backup but in another drive and partition (in this example I use VM with ENG language with one drive but destination is multidisk and partition machine) where normal user (in my cause “root”) and backuper user (“duplicati_user”) will no interaction each other - no disk/ACL rights. This is due to security reason eg. ransomware.
Even if backup files are encrypted I do not want send my backups into cloud (too much GB, almost TB, additional cellular 3G/LTE connection) or external machine (at this moment do not have and no plans to create).

So if I run Duplicati using “duplicati_user” then this user have no right to files what I want to make backup. And normal user “root” also have no right to bakcup files created by Duplicati app.

How to achieve my aim?

BR, Krzysiek

yes, it is explained here:

in addition to the fine manual, when you do this after having done backup while running Duplicati as a user, you can recreate the backup and copy the database from the user’s directory.
Note that by default the service has rights on all the computer, though.

Along with the manual information on the service, there’s an old video which might help the setup.

Duplicati Tutorial 02 Install Duplicati as a Service (specifics might be outdated, or maybe debated)

Also:

[SOLVED] Is it ok that I see 5 processes of Duplicati in Windows Task manager?
image at top is similar to what your Task Manager would show for SYSTEM service and a user
running TrayIcon (preferably in --no-hosted-server mode, otherwise you’ll have two servers).

Your separation aim makes setup a bit more complicated, but I’m not sure I totally understand it especially when a VM is thrown into the mix. Are you trying to give VM user access to host disk, controlled by ACLs? For a file-level backup of files inside VM, Duplicati must run there, but a file destination would need to be accessible by Duplicati. You can go to a network destination where
network is between the VM and its host. That would mean malware in the VM would need to find equivalent access in order to destroy backup. It’s possible, but less risky than open file access…

How to protect network-based backups is discussed in many other topics with no perfect answer.

EDIT:

While Windows can run a variety of network servers, perhaps you could consider access by SMB, basically continuing with your current username and password scheme, but using as it’s intended, however I’m not well equipped to solve issues if any arise, and I’m not sure how separation works.

I think things like drive letter mappings are per user login session, however Duplicati started as the
user at their login probably shares their login session. Duplicati run as service would probably not, however SMB from a service is sometimes difficult because it’s not quite a normal user situatation.