Update _FILESYSTEM_PERMISSIONS from 700 to 600 and add undocumented DBBACKUP_USER|GROUP variable

README.md

@@ -327,7 +327,7 @@ If `DEFAULT_BACKUP_LOCTION` = `FILESYSTEM` then the following options are used:
 | `DEFAULT_CREATE_LATEST_SYMLINK`   | Create a symbolic link pointing to last backup in this format: `latest-(DB_TYPE)-(DB_NAME)-(DB_HOST)` | `TRUE`                                |
 | `DEFAULT_FILESYSTEM_PATH`         | Directory where the database dumps are kept.                                                          | `/backup`                             |
 | `DEFAULT_FILESYSTEM_ARCHIVE_PATH` | Optional Directory where the database dumps archives are kept                                         | `${DEFAULT_FILESYSTEM_PATH}/archive/` |
-| `DEFAULT_FILESYSTEM_PERMISSION`   | Directory and File permissions to apply to files.                                                     | `700`                                 |
+| `DEFAULT_FILESYSTEM_PERMISSION`   | Directory and File permissions to apply to files.                                                     | `600`                                 |
 
 ###### S3
 
@@ -602,7 +602,7 @@ If `DB01_BACKUP_LOCTION` = `FILESYSTEM` then the following options are used:
 | `DB01_CREATE_LATEST_SYMLINK`   | Create a symbolic link pointing to last backup in this format: `latest-(DB_TYPE)-(DB_NAME)-(DB_HOST)` | `TRUE`                            |
 | `DB01_FILESYSTEM_PATH`         | Directory where the database dumps are kept.                                                          | `/backup`                         |
 | `DB01_FILESYSTEM_ARCHIVE_PATH` | Optional Directory where the database dumps archives are kept                                         | `${DB01_FILESYSTEM_PATH/archive/` |
-| `DB01_FILESYSTEM_PERMISSION`   | Directory and File permissions to apply to files.                                                     | `700`                             |
+| `DB01_FILESYSTEM_PERMISSION`   | Directory and File permissions to apply to files.                                                     | `600`                             |
 
 ###### S3
 

install/assets/defaults/10-db-backup

@@ -1,6 +1,8 @@
 #!/command/with-contenv bash
 
 BACKUP_JOB_CONCURRENCY=${BACKUP_JOB_CONCURRENCY:-"1"}
+DBBACKUP_USER=${DBBACKUP_USER:-"dbbackup"}
+DBBACKUP_GROUP=${DBBACKUP_USER:-"${DBBACKUP_USER}"} # Must go after DBBACKUP_USER
 DEFAULT_BACKUP_BEGIN=${DEFAULT_BACKUP_BEGIN:-+0}
 DEFAULT_BACKUP_INTERVAL=${DEFAULT_BACKUP_INTERVAL:-1440}
 DEFAULT_BACKUP_INTERVAL=${DEFAULT_BACKUP_INTERVAL:-1440}
@@ -13,7 +15,7 @@ DEFAULT_CREATE_LATEST_SYMLINK=${DEFAULT_CREATE_LATEST_SYMLINK:-"TRUE"}
 DEFAULT_ENABLE_PARALLEL_COMPRESSION=${DEFAULT_ENABLE_PARALLEL_COMPRESSION:-"TRUE"}
 DEFAULT_ENCRYPT=${DEFAULT_ENCRYPT:-"FALSE"}
 DEFAULT_FILESYSTEM_PATH=${DEFAULT_FILESYSTEM_PATH:-"/backup"}
-DEFAULT_FILESYSTEM_PERMISSION=${DEFAULT_FILESYSTEM_PERMISSION:-"700"}
+DEFAULT_FILESYSTEM_PERMISSION=${DEFAULT_FILESYSTEM_PERMISSION:-"600"}
 DEFAULT_FILESYSTEM_ARCHIVE_PATH=${DEFAULT_FILESYSTEM_ARCHIVE_PATH:-"${DEFAULT_FILESYSTEM_PATH}/archive/"}
 DEFAULT_LOG_LEVEL=${DEFAULT_LOG_LEVEL:-"notice"}
 DEFAULT_MYSQL_ENABLE_TLS=${DEFAULT_MYSQL_ENABLE_TLS:-"FALSE"}

install/assets/functions/10-db-backup

@@ -5,11 +5,11 @@ bootstrap_filesystem() {
     if [ ! -d "${backup_job_filesystem_path}" ]; then
         mkdir -p "${backup_job_filesystem_path}"
     fi
-    if [ "$(stat -c %U "${backup_job_filesystem_path}")" != "dbbackup" ] ; then chown -R dbbackup:dbbackup "${backup_job_filesystem_path}" ; fi
+    if [ "$(stat -c %U "${backup_job_filesystem_path}")" != "${DBBACKUP_USER}" ] ; then chown -R "${DBBACKUP_USER}":"${DBBACKUP_GROUP}" "${backup_job_filesystem_path}" ; fi
     if [ "$(stat -c %a "${backup_job_filesystem_path}")" != "${backup_job_filesystem_permission}" ] ; then chmod -R "${backup_job_filesystem_permission}" "${backup_job_filesystem_path}" ; fi
 
     if [ -d "${backup_job_filesystem_archive_path}" ]; then
-        if [ "$(stat -c %U "${backup_job_filesystem_archive_path}")" != "dbbackup" ] ; then chown -R dbbackup:dbbackup "${backup_job_filesystem_archive_path}" ; fi
+        if [ "$(stat -c %U "${backup_job_filesystem_archive_path}")" != "${DBBACKUP_USER}" ] ; then chown -R "${DBBACKUP_USER}":"${DBBACKUP_GROUP}" "${backup_job_filesystem_archive_path}" ; fi
         if [ "$(stat -c %a "${backup_job_filesystem_archive_path}")" != "${backup_job_filesystem_permission}" ] ; then chmod -R "${backup_job_filesystem_permission}" "${backup_job_filesystem_archive_path}" ; fi
     fi
 
@@ -17,14 +17,14 @@ bootstrap_filesystem() {
         mkdir -p "${LOG_PATH}"
     fi
 
-    if [ "$(stat -c %U "${LOG_PATH}")" != "dbbackup" ] ; then chown dbbackup:dbbackup "${LOG_PATH}" ; fi
+    if [ "$(stat -c %U "${LOG_PATH}")" != "${DBBACKUP_USER}" ] ; then chown -R "${DBBACKUP_USER}":"${DBBACKUP_GROUP}" "${LOG_PATH}" ; fi
     if [ ! -d "${LOG_PATH}"/"$(date +'%Y%m%d')" ]; then run_as_user mkdir -p "${LOG_PATH}"/"$(date +'%Y%m%d')"; fi
     if [ "$(stat -c %a "${LOG_PATH}")" != "755" ] ; then chmod -R 755 "${LOG_PATH}" ; fi
 
     if [ ! -d "${TEMP_PATH}" ]; then
         mkdir -p "${TEMP_PATH}"
     fi
-    if [ "$(stat -c %U "${TEMP_PATH}")" != "dbbackup" ] ; then chown -R dbbackup:dbbackup "${TEMP_PATH}" ; fi
+    if [ "$(stat -c %U "${TEMP_PATH}")" != "${DBBACKUP_USER}" ] ; then chown -R "${DBBACKUP_USER}":"${DBBACKUP_GROUP}" "${TEMP_PATH}" ; fi
     if var_true "${DEBUG_BOOTSTRAP_FILESYSTEM}" ; then debug off; fi
 }
 
@@ -1648,7 +1648,7 @@ process_limiter() {
 }
 
 run_as_user() {
-    s6-setuidgid dbbackup $@
+    s6-setuidgid "${DBBACKUP_USER}" $@
 }
 
 setup_mode() {