I yesterday installed Duplicati using the AUR repo in an Arch installation. As I am no expert on Linux, I have an issue with access to the directories that I want to backup. I tried to create a backup for my Nextcloud installation. So duplicati is running under its own user and the nextcloud directory is owned by http:http, with no access for others neither read nor execute. What is the best practice to create backups for directories the duplicati user usually has no access to?
What’s best practice depends on needs and priorities. The Arch Linux packager favored security by using a user named duplicati. Possibly it still does. I don’t have Arch. Original change was below:
To get to your http,http files, I suppose you could change your systemd config to that, but I’m not sure what the downside of that would be. You could also remove systemd User= and Group= lines, but the downside of that is more access than Duplicati needs, so more potential damage if an attacker gets it.
Compromise might be to have Duplicati run User=duplicati Group=http, or the solution Arch packager favors (see comment) might be to add duplicati group to the Nextcloud directory as an extra group.
I think the packages created by Duplicati project either run as root (typical of Duplicati Server), or the user who did a manual launch of TrayIcon (e.g. to back up personal files already owned by that user).